SB2026030565 - Multiple vulnerabilities in ImageMagick



SB2026030565 - Multiple vulnerabilities in ImageMagick

Published: March 5, 2026 Updated: March 6, 2026

Security Bulletin ID SB2026030565
CSH Severity
High
Patch available
YES
Number of vulnerabilities 20
Exploitation vector Remote access
Highest impact Denial of service

Breakdown by Severity

High 10% Medium 75% Low 15%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 20 vulnerabilities.


1) Out-of-bounds read (CVE-ID: N/A)

CWE-ID: CWE-125 - Out-of-bounds read

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a boundary condition in the PSB (PSD v2) RLE decoding path. A remote attacker can trigger an out-of-bounds read error and read contents of memory on the system.


2) Stack-based buffer overflow (CVE-ID: CVE-2026-25968)

CWE-ID: CWE-121 - Stack-based buffer overflow

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber


The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to a boundary error when processing the an attribute in msl.c. A remote unauthenticated attacker can trigger stack-based buffer overflow and gain access to sensitive information or perform a denial of service (DoS) attack.


3) Memory leak (CVE-ID: CVE-2026-25988)

CWE-ID: CWE-401 - Missing release of memory after effective lifetime

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to perform DoS attack on the target system.

The vulnerability exists due memory leak in msl.c. A remote attacker can force the application to leak memory and perform denial of service attack.


4) Stack-based buffer overflow (CVE-ID: CVE-2026-25967)

CWE-ID: CWE-121 - Stack-based buffer overflow

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber


The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a boundary error in the FTXT image reader. A remote unauthenticated attacker can trigger stack-based buffer overflow and cause a denial of service condition on the target system.


5) Division by zero (CVE-ID: CVE-2026-25799)

CWE-ID: CWE-369 - Divide By Zero

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to the divide-by-zero issue in YUV sampling factor validation. A remote attacker can cause a denial of service condition on the target system.


6) Memory leak (CVE-ID: CVE-2026-25638)

CWE-ID: CWE-401 - Missing release of memory after effective lifetime

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to perform DoS attack on the target system.

The vulnerability exists due memory leak in coders/msl.c. A remote attacker can force the application to leak memory and perform denial of service attack.


7) Out-of-bounds write (CVE-ID: CVE-2026-25986)

CWE-ID: CWE-787 - Out-of-bounds write

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a boundary error in ReadYUVImage() (coders/yuv.c) when processing malicious YUV 4:2:2 (NoInterlace) images. A remote attacker can trigger an out-of-bounds write and perform a denial of service (DoS) attack.


8) Out-of-bounds read (CVE-ID: CVE-2026-25987)

CWE-ID: CWE-125 - Out-of-bounds read

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a boundary condition in the MAP image decoder when processing crafted MAP files. A remote attacker can trigger an out-of-bounds read error and read contents of memory on the system.


9) NULL pointer dereference (CVE-ID: CVE-2026-25798)

CWE-ID: CWE-476 - NULL Pointer Dereference

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference error in ClonePixelCacheRepository. A remote attacker can pass specially crafted data to the application and perform a denial of service (DoS) attack.


10) Improper access control (CVE-ID: CVE-2026-25966)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions in config/policy-secure.xml within "fd handler". A local attacker can bypass implemented security restrictions and gain unauthorized access to the application.


11) Heap-based buffer overflow (CVE-ID: CVE-2026-26284)

CWE-ID: CWE-122 - Heap-based Buffer Overflow

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to a boundary error in pcd decoder. A remote attacker can pass specially crafted data to the application, trigger a heap-based buffer overflow and gain acces to sensitive information or perform a denial of service (DoS) attack.


12) Resource exhaustion (CVE-ID: CVE-2026-24485)

CWE-ID: CWE-400 - Resource exhaustion

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources when parsing a PCD file. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.


13) Resource exhaustion (CVE-ID: CVE-2026-24484)

CWE-ID: CWE-400 - Resource exhaustion

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application fails to check for multi-layer nested mvg conversions to svg. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.


14) Out-of-bounds read (CVE-ID: CVE-2026-24481)

CWE-ID: CWE-125 - Out-of-bounds read

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a boundary condition in PSD (Adobe Photoshop) format handler. A remote attacker can trigger an out-of-bounds read error and read contents of memory on the system.


15) Use-after-free (CVE-ID: CVE-2026-25983)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error in MSLStartElement in MSL decoder. A remote attacker can perform a denial of service (DoS) attack.


16) Out-of-bounds read (CVE-ID: CVE-2026-25576)

CWE-ID: CWE-125 - Out-of-bounds read

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local attacker to gain access to potentially sensitive information.

The vulnerability exists due to a boundary condition in multiple raw image format handles. A local attacker can trigger an out-of-bounds read error and read contents of memory on the system.


17) Out-of-bounds read (CVE-ID: CVE-2026-25982)

CWE-ID: CWE-125 - Out-of-bounds read

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a boundary condition in the coders/dcm.c module. A remote attacker can trigger an out-of-bounds read error and read contents of memory on the system or perform a denial of service (DoS) attack.


18) Uncontrolled Recursion (CVE-ID: CVE-2026-25971)

CWE-ID: CWE-674 - Uncontrolled Recursion

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to poorly bounded recursion in ProcessMSLScript. A local attacker can cause a denial of service condition on the target system.


19) Integer overflow (CVE-ID: CVE-2026-25970)

CWE-ID: CWE-190 - Integer overflow

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to integer overflow in SIXEL decoder. A remote attacker can pass specially crafted data to the application, trigger integer overflow and cause a denial of service condition on the target system.


20) Memory leak (CVE-ID: CVE-2026-25969)

CWE-ID: CWE-401 - Missing release of memory after effective lifetime

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to perform DoS attack on the target system.

The vulnerability exists due memory leak in coders/ashlar.c. A remote attacker can force the application to leak memory and perform denial of service attack.


Remediation

Install update from vendor's website.

References