Debian Imagemagick vulnerabilities

CVE-2026-28494 [HIGH] CVE-2026-28494: imagemagick - ImageMagick is free and open-source software used for editing and manipulating d... ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-16 and 6.9.13-41, a stack buffer overflow exists in ImageMagick's morphology kernel parsing functions. User-controlled kernel strings exceeding a buffer are copied into fixed-size stack buffers via memcpy without bounds checking, resulting in st

CVE-2026-23876 [HIGH] CVE-2026-23876: imagemagick - ImageMagick is free and open-source software used for editing and manipulating d... ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-13 and 6.9.13-38, a heap buffer overflow vulnerability in the XBM image decoder (ReadXBMImage) allows an attacker to write controlled data past the allocated heap buffer when processing a maliciously crafted image file. Any operation that reads

CVE-2026-28691 [HIGH] CVE-2026-28691: imagemagick - ImageMagick is free and open-source software used for editing and manipulating d... ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-16 and 6.9.13-41, an uninitialized pointer dereference vulnerability exists in the JBIG decoder due to a missing check. This vulnerability is fixed in 7.1.2-16 and 6.9.13-41. Scope: local bookworm: open bullseye: open forky: resolved (fixed in 8

CVE-2026-25965 [HIGH] CVE-2026-25965: imagemagick - ImageMagick is free and open-source software used for editing and manipulating d... ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, ImageMagick’s path security policy is enforced on the raw filename string before the filesystem resolves it. As a result, a policy rule such as /etc/* can be bypassed by a path traversal. The OS resolves the traversal and opens

CVE-2026-24485 [HIGH] CVE-2026-24485: imagemagick - ImageMagick is free and open-source software used for editing and manipulating d... ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, when a PCD file does not contain a valid Sync marker, the DecodeImage() function becomes trapped in an infinite loop while searching for the Sync marker, causing the program to become unresponsive and continuously consume CPU r

CVE-2026-25985 [HIGH] CVE-2026-25985: imagemagick - ImageMagick is free and open-source software used for editing and manipulating d... ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, a crafted SVG file containing an malicious element causes ImageMagick to attempt to allocate ~674 GB of memory, leading to an out-of-memory abort. Versions 7.1.2-15 and 6.9.13-40 contain a patch. Scope: local bookworm: open bul

CVE-2026-25989 [HIGH] CVE-2026-25989: imagemagick - ImageMagick is free and open-source software used for editing and manipulating d... ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, a crafted SVG file can cause a denial of service. An off-by-one boundary check (`>` instead of `>=`) that allows bypass the guard and reach an undefined `(size_t)` cast. Versions 7.1.2-15 and 6.9.13-40 contain a patch. Scope: l

CVE-2026-24481 [HIGH] CVE-2026-24481: imagemagick - ImageMagick is free and open-source software used for editing and manipulating d... ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, a heap information disclosure vulnerability exists in ImageMagick's PSD (Adobe Photoshop) format handler. When processing a maliciously crafted PSD file containing ZIP-compressed layer data that decompresses to less than the ex

CVE-2026-25968 [HIGH] CVE-2026-25968: imagemagick - ImageMagick is free and open-source software used for editing and manipulating d... ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, a stack buffer overflow occurs when processing the an attribute in msl.c. A long value overflows a fixed-size stack buffer, leading to memory corruption. Versions 7.1.2-15 and 6.9.13-40 contain a patch. Scope: local bookworm: r

CVE-2026-28693 [HIGH] CVE-2026-28693: imagemagick - ImageMagick is free and open-source software used for editing and manipulating d... ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-16 and 6.9.13-41, an integer overflow in DIB coder can result in out of bounds read or write. This vulnerability is fixed in 7.1.2-16 and 6.9.13-41. Scope: local bookworm: open bullseye: open forky: resolved (fixed in 8:7.1.2.16+dfsg1-1) sid: re

CVE-2026-25983 [MEDIUM] CVE-2026-25983: imagemagick - ImageMagick is free and open-source software used for editing and manipulating d... ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, a crafted MSL script triggers a heap-use-after-free. The operation element handler replaces and frees the image while the parser continues reading from it, leading to a UAF in ReadBlobString during further parsing. Versions 7

CVE-2026-23874 [MEDIUM] CVE-2026-23874: imagemagick - ImageMagick is free and open-source software used for editing and manipulating d... ImageMagick is free and open-source software used for editing and manipulating digital images. Versions prior to 7.1.2-13 have a stack overflow via infinite recursion in MSL (Magick Scripting Language) `` command when writing to MSL format. Version 7.1.2-13 fixes the issue. Scope: local bookworm: resolved (fixed in 8:6.9.11.60+dfsg-1.6+deb12u6) bullseye: resol

CVE-2026-28686 [MEDIUM] CVE-2026-28686: imagemagick - ImageMagick is free and open-source software used for editing and manipulating d... ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-16 and 6.9.13-41, A heap-buffer-overflow vulnerability exists in the PCL encode due to an undersized output buffer allocation. This vulnerability is fixed in 7.1.2-16 and 6.9.13-41. Scope: local bookworm: open bullseye: open forky: resolved (f

CVE-2026-25988 [MEDIUM] CVE-2026-25988: imagemagick - ImageMagick is free and open-source software used for editing and manipulating d... ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, sometimes msl.c fails to update the stack index, so an image is stored in the wrong slot and never freed on error, causing leaks. Versions 7.1.2-15 and 6.9.13-40 contain a patch. Scope: local bookworm: resolved (fixed in 8:6.

CVE-2026-33535 [MEDIUM] CVE-2026-33535: imagemagick - ImageMagick is free and open-source software used for editing and manipulating d... ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to 7.1.2-18 and 6.9.13-43, an out-of-bounds write of a zero byte exists in the X11 `display` interaction path that could lead to a crash. Versions 7.1.2-18 and 6.9.13-43 patch the issue. Scope: local bookworm: open bullseye: open forky: resolved (fixed in 8:7.1

CVE-2026-25797 [MEDIUM] CVE-2026-25797: imagemagick - ImageMagick is free and open-source software used for editing and manipulating d... ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, the ps coders, responsible for writing PostScript files, fails to sanitize the input before writing it into the PostScript header. An attacker can provide a malicous file and inject arbitrary PostScript code. When the resulti

CVE-2026-30936 [MEDIUM] CVE-2026-30936: imagemagick - ImageMagick is free and open-source software used for editing and manipulating d... ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-16 and 6.9.13-41, a crafted image could cause an out of bounds heap write inside the WaveletDenoiseImage method. When processing a crafted image with the -wavelet-denoise operation an out of bounds write can occur. This vulnerability is fixed

CVE-2026-33536 [MEDIUM] CVE-2026-33536: imagemagick - ImageMagick is free and open-source software used for editing and manipulating d... ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to 7.1.2-18 and 6.9.13-43, due to an incorrect return value on certain platforms a pointer is incremented past the end of a buffer that is on the stack and that could result in an out of bounds write. Versions 7.1.2-18 and 6.9.13-43 patch the issue. Scope: loca

CVE-2026-28692 [MEDIUM] CVE-2026-28692: imagemagick - ImageMagick is free and open-source software used for editing and manipulating d... ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-16 and 6.9.13-41, MAT decoder uses 32-bit arithmetic due to incorrect parenthesization resulting in a heap over-read. This vulnerability is fixed in 7.1.2-16 and 6.9.13-41. Scope: local bookworm: open bullseye: open forky: resolved (fixed in 8

CVE-2026-26983 [MEDIUM] CVE-2026-26983: imagemagick - ImageMagick is free and open-source software used for editing and manipulating d... ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, the MSL interpreter crashes when processing a invalid `` element that causes it to use an image after it has been freed. Versions 7.1.2-15 and 6.9.13-40 contain a patch. Scope: local bookworm: open bullseye: open forky: resol