CVE-2026-49218: ImageMagick: Policy Bypass in DCM decoder could result in image with invalid dimensions
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-48 and 7.1.2-24, a missing check in the DCM decoder could result in an image with invalid dimensions and that could cause crashes in other operation. This issue has been patched in versions 6.9.13-48 and 7.1.2-24.
Metrics
- CVSS v3.1
- 7.5
- Severity
- HIGH
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
A denial-of-service vulnerability exists in the DCM (DICOM medical image) decoder in ImageMagick. The flaw is reachable over the network with no authentication required, and arises from a missing dimension-validity check when parsing DCM files. Successful exploitation causes ImageMagick to process an image with invalid dimensions, crashing the application and any downstream pipeline that depends on it. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment fix versions are confirmed upstream.
HarborGuard Coverage
Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle ImageMagick as a layer dependency. Any image in a customer registry or CI pipeline containing an affected ImageMagick version is flagged automatically.
AvailableHarborGuard scores this issue at CVSS 7.5 HIGH and weights it against each environment's compliance policy to determine urgency and routing. Triage findings are surfaced to the appropriate team inbox within each customer organization based on configured ownership rules.
AvailableBecause no fix versions have been published upstream as of this record, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment a confirmed fix version appears. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will trigger automatically at that point.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The vulnerable decoder is reachable over the network, meaning an attacker can deliver a malformed DCM file to any ImageMagick instance exposed to network input.
- AuthenticationNot required
No credentials or account are needed; an unauthenticated attacker can submit a crafted file directly.
- Victim interactionNot required
No user action is required beyond the service processing the attacker-supplied file in the normal course of operation.
- Attack complexityDetail
Exploit conditions are straightforward and reliable, requiring no race conditions, special memory layout, or environmental prerequisites.
Blast Radius
- Crashes the ImageMagick process handling the malformed DCM file, interrupting any image-processing job in progress.
- Brings down any service or pipeline stage that calls ImageMagick synchronously, causing a full processing outage for that component.
- Enables repeated denial-of-service by submitting crafted DCM files in a loop, keeping the affected service unavailable indefinitely.
How HarborGuard Handles This
Available on HarborGuard: because no upstream fix version exists yet, HarborGuard continuously re-evaluates this advisory on every ingest cycle and will surface a patched-image rebuild the moment ImageMagick ships a confirmed fix. In the interim, compensating controls are worth considering: network policy rules that restrict which sources can submit files to ImageMagick-backed services, input-validation layers that reject DCM files before they reach the decoder, and ImageMagick policy.xml rules that disable the DCM coder entirely if DICOM support is not operationally required. For customers with auto-remediation enabled, the full rebuild-and-PR flow will trigger automatically once a fix version is published upstream.
- ImageMagick / ImageMagick< 6.9.13-48 · < 7.1.2-24
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H