Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:deb/debian/imagemagick@8:6.9.11.60%2Bdfsg-1.6%2Bdeb12u8
purl pkg:deb/debian/imagemagick@8:6.9.11.60%2Bdfsg-1.6%2Bdeb12u8
Vulnerabilities affecting this package (0)
Vulnerability Summary Fixed by
This package is not known to be affected by vulnerabilities.
Vulnerabilities fixed by this package (32)
Vulnerability Summary Aliases
VCID-1cpn-zvem-v7gt ImageMagick has uninitialized pointer dereference in JBIG decoder An uninitialized pointer dereference vulnerability exists in the JBIG decoder due to a missing check. CVE-2026-28691
GHSA-wj8w-pjxf-9g4f
VCID-2zje-ag2v-7kac ImageMagick has heap buffer overflow in WriteXWDImage due to CARD32 arithmetic overflow in bytes_per_line calculation A 32-bit unsigned integer overflow in the XWD (X Windows) encoder can cause an undersized heap buffer allocation. When writing a extremely large image an out of bounds heap write can occur. ``` ================================================================= ==741961==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x5020000083dc at pc 0x56553b4c4245 bp 0x7ffd9d20fef0 sp 0x7ffd9d20fee0 WRITE of size 1 at 0x5020000083dc thread T0 ``` CVE-2026-30937
GHSA-qpg4-j99f-8xcg
VCID-381g-7gdr-qydg ImageMagick: Magick.NET: ImageMagick and Magick.NET: Denial of Service via malicious MSL file processing CVE-2026-40312
GHSA-5xg3-585r-9jh5
VCID-441f-z9bp-vbdu ImageMagick: Magick.NET: ImageMagick: Denial of service via heap out-of-bounds write in JP2 encoder CVE-2026-40310
GHSA-pwg5-6jfc-crvh
VCID-54da-fzyt-4ud2 ImageMagick has stack write buffer overflow in MNG encoder A stack buffer overflow vulnerability exists in the MNG encoder. There is a bounds checks missing that could corrupting the stack with attacker-controlled data. ``` ==2265506==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffec4971310 at pc 0x55e671b8a072 bp 0x7ffec4970f70 sp 0x7ffec4970f68 WRITE of size 1 at 0x7ffec4971310 thread T0 ``` CVE-2026-28690
GHSA-7h7q-j33q-hvpf
VCID-6h7x-3rue-kucp ImageMagick has a heap buffer over-read via 32-bit integer overflow in MAT decoder In MAT decoder uses 32-bit arithmetic due to incorrect parenthesization resulting in a heap over-read. ``` ================================================================= ==969652==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x506000003b40 at pc 0x555557b2a926 bp 0x7fffffff4c80 sp 0x7fffffff4c70 READ of size 8 at 0x506000003b40 thread T0 ``` CVE-2026-28692
GHSA-mrmj-x24c-wwcv
VCID-6v1d-1wfr-vqd1 ImageMagick: Magick.NET: ImageMagick: Denial of Service via heap use-after-free in XMP profile processing CVE-2026-40311
GHSA-r83h-crwp-3vm7
VCID-7gb9-gd78-7bdu ImageMagick: Magick.NET: ImageMagick: Denial of Service due to heap buffer overflow in MVG decoder CVE-2026-33901
GHSA-x9h5-r9v2-vcww
VCID-a2qm-vkc3-qkd5 ImageMagick has Undefined Behavior (function-type-mismatch) in CloneSplayTree ## Summary - **Target:** ImageMagick (commit `ecc9a5eb456747374bae8e07038ba10b3d8821b3`) - **Type:** Undefined Behavior (function-type-mismatch) in splay tree cloning callback - **Impact:** Deterministic abort under UBSan (DoS in sanitizer builds). No crash in a non-sanitized build; likely low security impact. - **Trigger:** Minimal **2-byte** input parsed via MagickWand, then coalescing. ## Environment OS: macOS (Apple Silicon/arm64) Homebrew clang version 20.1.8 Target: arm64-apple-darwin24.5.0 Thread model: posix InstalledDir: /opt/homebrew/Cellar/llvm/20.1.8/bin Configuration file: /opt/homebrew/etc/clang/arm64-apple-darwin24.cfg Homebrew ImageMagick: `magick -version` → `ImageMagick 7.1.2-0 Q16-HDRI aarch64` pkg-config: `MagickWand-7.Q16HDRI` version `7.1.2` Library configure flags (capsule build): ./configure --disable-shared --enable-static --without-modules --without-magick-plus-plus --disable-openmp --without-perl --without-x --with-png=yes --without-jpeg --without-tiff --without-xml --without-lqr --without-gslib Harness compile flags: -fsanitize=fuzzer,address,undefined -fno-omit-frame-pointer pkg-config cflags/libs supplied: -I<...>/include/ImageMagick-7 -DMAGICKCORE_HDRI_ENABLE=1 -DMAGICKCORE_QUANTUM_DEPTH=16 -DMAGICKCORE_CHANNEL_MASK_DEPTH=32 and linked against MagickWand-7.Q16HDRI and MagickCore-7.Q16HDRI Sanitizer runtime: ASan+UBSan defaults. Repro also with `UBSAN_OPTIONS=print_stacktrace=1:halt_on_error=1` ## PoC - **Bytes (hex):** `1c 02` - **Base64:** `HAI=` - **sha256 (optional):** <fill in> ## Reproduction Create PoC: `printf '\x1c\x02' > poc.bin` Option A: libFuzzer harness - Run once: `./harness_ImageMagick_... -runs=1 ./poc.bin` - Expected: UBSan aborts with function-type-mismatch at `MagickCore/splay-tree.c:372:43`. Option B: standalone reproducer (C) - Compile (ensure `PKG_CONFIG_PATH` points to your ImageMagick if needed): /opt/homebrew/opt/llvm/bin/clang -g -O1 -fsanitize=address,undefined $(/opt/homebrew/bin/pkg-config --cflags MagickWand-7.Q16HDRI) repro.c -o repro $(/opt/homebrew/bin/pkg-config --libs MagickWand-7.Q16HDRI) - Run: UBSAN_OPTIONS=print_stacktrace=1:halt_on_error=1 ./repro ./poc.bin Observed output (excerpt) MagickCore/splay-tree.c:372:43: runtime error: call to function ConstantString through pointer to incorrect function type 'void *(*)(void *)' string.c:680: note: ConstantString defined here #0 CloneSplayTree splay-tree.c:372 #1 CloneImageProfiles profile.c:159 #2 CloneImage image.c:832 #3 CoalesceImages layer.c:269 #4 MagickCoalesceImages magick-image.c:1665 #5 main repro.c:XX Root cause The splay tree clone callback expects a function pointer of type `void *(*)(void *)`. ConstantString has a different signature (`char *ConstantString(const char *)`). Calling through the mismatched function type is undefined behavior in C and triggers UBSan’s function-type-mismatch. The path is exercised during coalescing: CloneImage → CloneImageProfiles → CloneSplayTree. Scope Reproduces with a minimal, sanitizer-instrumented, PNG-enabled build and delegates disabled (policy.xml), suggesting the issue is in MagickCore rather than external delegates. Suggested fix (sketch) Use a wrapper that matches the expected callback prototype, or adjust the splay-tree callback typedef for const-correctness. For example: static void *CloneStringShim(const void *p) { return (void *) ConstantString((const char *) p); } /* When setting splay-tree clone_value, use CloneStringShim instead of ConstantString. */ Alternatively, update the clone callback typedefs to use const void* consistently (and return void*) and ensure callers pass a correctly typed wrapper. Artifacts Minimised PoC: attached (poc.bin, 2 bytes; base64 HAI=) Harness source and exact build command (attached) Full UBSan trace (attached) Commit SHA and configure flags (above) Credits Discovered by: Lumina Mescuwa Method: libFuzzer + UBSan Verification - UBSan build: Reproduces with `halt_on_error=1`; aborts at `MagickCore/splay-tree.c:372`. - Non-sanitized Homebrew build (macOS arm64, clang 20.1.8): No crash; repro completes silently. CVE-2025-55160
GHSA-6hgw-6x87-578x
VCID-cuhw-ew1g-s3h2 ImageMagick has Heap Use-After-Free in ImageMagick MSL decoder A heap use-after-free vulnerability in ImageMagick's MSL decoder allows an attacker to trigger access to freed memory by crafting an MSL file. ``` ================================================================= ==1500633==ERROR: AddressSanitizer: heap-use-after-free on address 0x527000011550 at pc 0x5612583fa212 bp 0x7ffedb86d160 sp 0x7ffedb86d150 READ of size 8 at 0x527000011550 thread T0 ``` CVE-2026-28687
GHSA-fpvf-frm6-625q
VCID-eeju-vhdm-aqbe ImageMagick: Magick.NET: ImageMagick: Denial of Service via integer truncation in viff encoder CVE-2026-33900
GHSA-v67w-737x-v2c9
VCID-egwu-28fp-dye6 ImageMagick: ImageMagick: Denial of service via out-of-bounds read in -sample operation CVE-2026-33905
GHSA-pcvx-ph33-r5vv
VCID-g41y-dv8u-3yf1 ImageMagick has Heap Buffer Overflow in WaveletDenoiseImage A crafted image could cause an out of bounds heap write inside the WaveletDenoiseImage method. When processing a crafted image with the -wavelet-denoise operation an out of bounds write can occur. ``` ================================================================= ==661320==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x503000002754 at pc 0x5ff45f82c92a bp 0x7fffb732b400 sp 0x7fffb732b3f0 WRITE of size 4 at 0x503000002754 thread T0 ``` CVE-2026-30936
GHSA-5ggv-92r5-cp4p
VCID-g679-q851-xub7 ImageMagick: stack-based buffer overflow in sixel encoder CVE-2026-32259
VCID-j6tc-f4fc-mbcv ImageMagick: ImageMagick: Denial of Service via deeply nested expression in FX parser CVE-2026-33902
GHSA-f4qm-vj5j-9xpw
VCID-jc5m-7rvc-2qg6 ImageMagick has a heap-buffer-overflow in NewXMLTree which could result in crash The NewXMLTree method contains a bug that could result in a crash due to an out of write bounds of a single zero byte. CVE-2026-32636
GHSA-gc62-2v5p-qpmp
VCID-jcjk-s89c-mbbm ImageMagick: Invalid MSL <map> can result in a use after free The MSL interpreter crashes when processing a invalid `<map>` element that causes it to use an image after it has been freed. CVE-2026-26983
GHSA-w8mw-frc6-r7m8
VCID-n47w-r932-abey ImageMagick is vulnerable to Heap Overflow when writing extremely large image profile in the PNG encoder An extremely large image profile could result in a heap overflow when encoding a PNG image. CVE-2026-30883
GHSA-qmw5-2p58-xvrc
VCID-qjxn-gm96-7ygc ImageMagick: Magick.NET: ImageMagick: Denial of Service via integer overflow in despeckle operation CVE-2026-34238
GHSA-26qp-ffjh-2x4v
VCID-r3vw-ncns-cqgb ImageMagick is vulnerable to heap buffer over-write on 32-bit systems in SFW decoder An overflow on 32-bit systems can cause a crash in the SFW decoder when processing extremely large images. CVE-2026-31853
GHSA-56jp-jfqg-f8f4
VCID-rbdg-vz8x-ykah ImageMagick has heap use-after-free in the MSL encoder A heap-use-after-free vulnerability exists in the MSL encoder, where a cloned image is destroyed twice. The MSL coder does not support writing MSL so the write capability has been removed. ``` SUMMARY: AddressSanitizer: heap-use-after-free MagickCore/image.c:1195 in DestroyImage Shadow bytes around the buggy address: 0x0a4e80007450: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0a4e80007460: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0a4e80007470: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0a4e80007480: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0a4e80007490: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd =>0x0a4e800074a0: fd fd fd fd fd fd fd fd fd fd[fd]fd fd fd fd fd 0x0a4e800074b0: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa 0x0a4e800074c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0a4e800074d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0a4e800074e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0a4e800074f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa ``` CVE-2026-28688
GHSA-xxw5-m53x-j38c
VCID-rjkf-pdny-2fhn ImageMagick vulnerable to stack corruption through long morphology kernel names or arrays A stack buffer overflow exists in ImageMagick's morphology kernel parsing functions. User-controlled kernel strings exceeding a buffer are copied into fixed-size stack buffers via memcpy without bounds checking, resulting in stack corruption. CVE-2026-28494
GHSA-932h-jw47-73jm
VCID-sw7g-hxxr-n3e1 ImageMagick has a Path Policy TOCTOU symlink race bypass `domain="path"` authorization is checked before final file open/use. A symlink swap between check-time and use-time bypasses policy-denied read/write. CVE-2026-28689
GHSA-493f-jh8w-qhx3
VCID-tt6z-t31v-dkdd ImageMagick has an Out-of-bounds Write via InterpretImageFilename Due to an incorrect return value on certain platforms a pointer is incremented past the end of a buffer that is on the stack and that could result in an out of bounds write. ``` ================================================================= ==48558==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x00016b9b7490 at pc 0x0001046d48ac bp 0x00016b9b31d0 sp 0x00016b9b31c8 WRITE of size 1 at 0x00016b9b7490 thread T0 ``` CVE-2026-33536
GHSA-8793-7xv6-82cf
VCID-tv15-dcnu-pbbn ImageMagick: Heap overflow in pcd decoder leads to out of bounds read. The pcd coder lacks proper boundary checking when processing Huffman-coded data. The decoder contains an function that has an incorrect initialization that could cause an out of bounds read. ``` ==3900053==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x502000003c6c at pc 0x55601b9cc552 bp 0x7ffd904b1f70 sp 0x7ffd904b1f60 READ of size 1 at 0x502000003c6c thread T0 ``` CVE-2026-26284
GHSA-wrhr-rf8j-r842
VCID-utfe-h3b7-jqcj ImageMagick: MSL - Stack overflow in ProcessMSLScript ### Summary Magick fails to check for circular references between two MSLs, leading to a stack overflow. ### Details After reading a.msl using magick, the following is displayed: `MSLStartElement` -> `ReadImage` -> `ReadMSLImage` -> `ProcessMSLScript` -> `xmlParseChunk` -> `xmlParseTryOrFinish` -> `MSLStartElement` ```bash AddressSanitizer:DEADLYSIGNAL ================================================================= ==114345==ERROR: AddressSanitizer: UNKNOWN SIGNAL on unknown address 0x000000000000 (pc 0x72509fc7d804 bp 0x7ffd6598b390 sp 0x7ffd6598ab20 T0) #0 0x72509fc7d804 in strlen ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:388 [...] ``` CVE-2026-25971
GHSA-8mpr-6xr2-chhc
VCID-uvkp-1zss-57gr ImageMagick: Magick.NET: ImageMagick: Denial of Service via deeply nested XML file processing CVE-2026-33908
GHSA-fwvm-ggf6-2p4x
VCID-w9zg-tsbg-afa1 ImageMagick: Magick.NET: ImageMagick: Denial of Service via out-of-bounds write in XML parsing CVE-2026-33899
GHSA-cr67-pvmx-2pp2
VCID-x8c6-9pse-xkc8 ImageMagick: Integer overflow in DIB coder can result in out of bounds read or write An integer overflow in DIB coder can result in out of bounds read or write CVE-2026-28693
GHSA-hffp-q43q-qq76
VCID-y58b-be93-hbfd ImageMagick: Write heap-buffer-overflow in PCL encoder via undersized output buffer A heap-buffer-overflow vulnerability exists in the PCL encode due to an undersized output buffer allocation. ``` WRITE of size 1 at 0x7e79f91f31a0 thread T0 ``` CVE-2026-28686
GHSA-467j-76j7-5885
VCID-zab9-9tqj-hbhg ImageMagick: Memory allocation with excessive without limits in the internal SVG decoder A crafted SVG file containing an malicious element causes ImageMagick to attempt to allocate ~674 GB of memory, leading to an out-of-memory abort. Found via AFL++ fuzzing with afl-clang-lto instrumentation and AddressSanitizer. CVE-2026-25985
GHSA-v7g2-m8c5-mf84
VCID-zvq4-ybph-buga ImageMagick has an Out-of-Bounds write of a zero byte in its X11 display interaction An out-of-bounds write of a zero byte exists in the X11 `display` interaction path that could lead to a crash. CVE-2026-33535
GHSA-mw3m-pqr2-qv7c

Date Actor Action Vulnerability Source VulnerableCode Version
2026-04-21T17:48:01.610886+00:00 Debian Importer Fixing VCID-54da-fzyt-4ud2 https://security-tracker.debian.org/tracker/data/json 38.4.0
2026-04-21T17:39:21.129793+00:00 Debian Importer Fixing VCID-eeju-vhdm-aqbe https://security-tracker.debian.org/tracker/data/json 38.4.0
2026-04-21T16:36:42.894080+00:00 Debian Importer Fixing VCID-qjxn-gm96-7ygc https://security-tracker.debian.org/tracker/data/json 38.4.0
2026-04-21T16:16:01.424919+00:00 Debian Importer Fixing VCID-6v1d-1wfr-vqd1 https://security-tracker.debian.org/tracker/data/json 38.4.0
2026-04-19T05:58:42.393245+00:00 Debian Importer Fixing VCID-tv15-dcnu-pbbn https://security-tracker.debian.org/tracker/data/json 38.4.0
2026-04-19T05:54:30.733699+00:00 Debian Importer Fixing VCID-2zje-ag2v-7kac https://security-tracker.debian.org/tracker/data/json 38.4.0
2026-04-19T05:53:07.557929+00:00 Debian Importer Fixing VCID-j6tc-f4fc-mbcv https://security-tracker.debian.org/tracker/data/json 38.4.0
2026-04-19T05:49:07.556427+00:00 Debian Importer Fixing VCID-tt6z-t31v-dkdd https://security-tracker.debian.org/tracker/data/json 38.4.0
2026-04-19T05:40:02.227618+00:00 Debian Importer Fixing VCID-g41y-dv8u-3yf1 https://security-tracker.debian.org/tracker/data/json 38.4.0
2026-04-19T05:39:21.740566+00:00 Debian Importer Fixing VCID-utfe-h3b7-jqcj https://security-tracker.debian.org/tracker/data/json 38.4.0
2026-04-19T05:25:14.984996+00:00 Debian Importer Fixing VCID-x8c6-9pse-xkc8 https://security-tracker.debian.org/tracker/data/json 38.4.0
2026-04-19T05:19:16.452776+00:00 Debian Importer Fixing VCID-jc5m-7rvc-2qg6 https://security-tracker.debian.org/tracker/data/json 38.4.0
2026-04-19T05:08:25.170010+00:00 Debian Importer Fixing VCID-egwu-28fp-dye6 https://security-tracker.debian.org/tracker/data/json 38.4.0
2026-04-19T05:04:27.747628+00:00 Debian Importer Fixing VCID-y58b-be93-hbfd https://security-tracker.debian.org/tracker/data/json 38.4.0
2026-04-19T04:58:32.569194+00:00 Debian Importer Fixing VCID-1cpn-zvem-v7gt https://security-tracker.debian.org/tracker/data/json 38.4.0
2026-04-19T04:33:12.069517+00:00 Debian Importer Fixing VCID-rjkf-pdny-2fhn https://security-tracker.debian.org/tracker/data/json 38.4.0
2026-04-19T04:27:59.940364+00:00 Debian Importer Fixing VCID-w9zg-tsbg-afa1 https://security-tracker.debian.org/tracker/data/json 38.4.0
2026-04-19T04:24:52.028145+00:00 Debian Importer Fixing VCID-rbdg-vz8x-ykah https://security-tracker.debian.org/tracker/data/json 38.4.0
2026-04-19T04:22:34.929793+00:00 Debian Importer Fixing VCID-zab9-9tqj-hbhg https://security-tracker.debian.org/tracker/data/json 38.4.0
2026-04-19T04:12:38.531994+00:00 Debian Importer Fixing VCID-jcjk-s89c-mbbm https://security-tracker.debian.org/tracker/data/json 38.4.0
2026-04-19T04:02:08.875790+00:00 Debian Importer Fixing VCID-7gb9-gd78-7bdu https://security-tracker.debian.org/tracker/data/json 38.4.0
2026-04-19T04:01:03.004530+00:00 Debian Importer Fixing VCID-381g-7gdr-qydg https://security-tracker.debian.org/tracker/data/json 38.4.0
2026-04-19T03:41:02.084572+00:00 Debian Importer Fixing VCID-cuhw-ew1g-s3h2 https://security-tracker.debian.org/tracker/data/json 38.4.0
2026-04-19T03:23:54.114537+00:00 Debian Importer Fixing VCID-sw7g-hxxr-n3e1 https://security-tracker.debian.org/tracker/data/json 38.4.0
2026-04-19T03:19:31.215302+00:00 Debian Importer Fixing VCID-g679-q851-xub7 https://security-tracker.debian.org/tracker/data/json 38.4.0
2026-04-19T03:16:52.807716+00:00 Debian Importer Fixing VCID-zvq4-ybph-buga https://security-tracker.debian.org/tracker/data/json 38.4.0
2026-04-19T03:13:50.145354+00:00 Debian Importer Fixing VCID-441f-z9bp-vbdu https://security-tracker.debian.org/tracker/data/json 38.4.0
2026-04-19T03:13:25.896240+00:00 Debian Importer Fixing VCID-n47w-r932-abey https://security-tracker.debian.org/tracker/data/json 38.4.0
2026-04-19T03:10:52.491132+00:00 Debian Importer Fixing VCID-uvkp-1zss-57gr https://security-tracker.debian.org/tracker/data/json 38.4.0
2026-04-19T03:05:40.604997+00:00 Debian Importer Fixing VCID-a2qm-vkc3-qkd5 https://security-tracker.debian.org/tracker/data/json 38.4.0
2026-04-19T03:03:14.225938+00:00 Debian Importer Fixing VCID-r3vw-ncns-cqgb https://security-tracker.debian.org/tracker/data/json 38.4.0
2026-04-19T02:49:20.982087+00:00 Debian Importer Fixing VCID-6h7x-3rue-kucp https://security-tracker.debian.org/tracker/data/json 38.4.0