CVE-2026-28690: ImageMagick has stack write buffer overflow in MNG encoder

March 12, 2026

A stack buffer overflow vulnerability exists in the MNG encoder. There is a bounds checks missing that could corrupting the stack with attacker-controlled data.

==2265506==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffec4971310 at pc 0x55e671b8a072 bp 0x7ffec4970f70 sp 0x7ffec4970f68
WRITE of size 1 at 0x7ffec4971310 thread T0

References

github.com/ImageMagick/ImageMagick
github.com/ImageMagick/ImageMagick/security/advisories/GHSA-7h7q-j33q-hvpf
github.com/advisories/GHSA-7h7q-j33q-hvpf
github.com/dlemstra/Magick.NET/releases/tag/14.10.4
nvd.nist.gov/vuln/detail/CVE-2026-28690

Code Behaviors & Features

Detect and mitigate CVE-2026-28690 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →