CVE-2026-56379: ImageMagick - Command Injection via SVG Decoder
ImageMagick before 7.1.2-15 and 6.9.13-40 contains a command injection vulnerability in the SVG decoder that allows attackers to inject arbitrary MVG drawing commands. Attackers can craft malicious SVG files with injected Magick Vector Graphics commands that execute during rendering.
Metrics
- CVSS v4.0
- 9.2
- Severity
- CRITICAL
- Fixed in
- 6.9.13-40
- Affected Products
- 2
HarborGuard Analysis
Synopsis
Command injection in ImageMagick's SVG decoder allows an attacker to embed arbitrary Magick Vector Graphics (MVG) commands inside a crafted SVG file. The vulnerability is reachable over the network with no authentication required, and exploitation succeeds when ImageMagick renders the malicious file. Successful exploitation gives the attacker full read, write, and denial-of-service capability against the host process. Patched-image rebuilds at versions 6.9.13-40 and 7.1.2-15 are available on HarborGuard for affected environments.
HarborGuard Coverage
Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle ImageMagick directly. Any image layer containing a vulnerable ImageMagick version is flagged automatically.
AvailableHarborGuard scores this finding at CVSS 9.2 Critical and weights it against each customer environment's compliance policy to determine escalation priority. Findings are routed to the team inbox configured for the affected registry or pipeline, keeping noise out of unrelated channels.
AvailableA patched-image rebuild at ImageMagick 6.9.13-40 or 7.1.2-15 becomes available on HarborGuard as soon as the fix versions are resolvable in the upstream package graph. For customers with auto-remediation enabled, HarborGuard performs the rebuild, runs a regression test suite, and opens a pull request against each affected workload; median time from CVE publication to merged patch PR for critical-severity issues is around 90 minutes for environments with auto-remediation enabled.
AvailableExploit Conditions
- Network reachabilityRequired
The attacker must be able to deliver a crafted SVG file to a service that passes it to ImageMagick for rendering, exposing the vulnerability over the network.
- AuthenticationNot required
No credentials or session token are needed; any unauthenticated request that triggers SVG rendering is sufficient.
- Victim interactionNot required
No user action is required; exploitation occurs automatically when the server-side ImageMagick process renders the malicious file.
- Attack complexityDetail
Attack complexity is high, meaning the attacker must satisfy specific preconditions such as timing constraints or particular processing states before the injected MVG commands execute reliably.
Blast Radius
- Reads arbitrary files accessible to the ImageMagick process, including application secrets and credentials stored on disk.
- Writes or overwrites files within the process's reach, allowing the attacker to tamper with application data or drop malicious content.
- Crashes or hangs the ImageMagick rendering process, disrupting any service that depends on image processing.
- Depending on deployment context, injected MVG commands may invoke shell primitives that pivot to broader host compromise.
How HarborGuard Handles This
Available on HarborGuard: detection fires within minutes of CVE publication for any image containing a vulnerable ImageMagick version, covering both upstream base images and custom-built layers. For environments with auto-remediation enabled, HarborGuard rebuilds the image at the patched version (6.9.13-40 for the 6.x line, 7.1.2-15 for the 7.x line), runs regression tests, and opens a PR against affected workloads; median time to a merged patch PR for critical-severity issues is around 90 minutes. Where compliance policy does not permit automated changes, the finding is escalated to the configured team inbox with remediation steps attached. As an immediate compensating control, network policy rules that restrict which services are permitted to accept and render user-supplied SVG content can reduce the attack surface until the patched image is deployed.
Fix available
- ImageMagick / ImageMagick< 7.1.2-15 (from 0)Fixed in 7.1.2-15
- ImageMagick / ImageMagick< 6.9.13-40 (from 0)Fixed in 6.9.13-40
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N