Search for packages
| purl | pkg:deb/debian/imagemagick@8:7.1.1.43%2Bdfsg1-1%2Bdeb13u5 |
| Next non-vulnerable version | 8:7.1.1.43+dfsg1-1+deb13u7 |
| Latest non-vulnerable version | 8:7.1.2.19+dfsg1-1 |
| Risk | 3.4 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-2yv5-qdeg-9bag
Aliases: CVE-2026-40183 GHSA-jvgr-9ph5-m8v4 |
ImageMagick: Magick.NET: ImageMagick: Denial of Service via heap write overflow in JXL encoder |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-381g-7gdr-qydg
Aliases: CVE-2026-40312 GHSA-5xg3-585r-9jh5 |
ImageMagick: Magick.NET: ImageMagick and Magick.NET: Denial of Service via malicious MSL file processing |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-441f-z9bp-vbdu
Aliases: CVE-2026-40310 GHSA-pwg5-6jfc-crvh |
ImageMagick: Magick.NET: ImageMagick: Denial of service via heap out-of-bounds write in JP2 encoder |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-4s37-h3p7-6uab
Aliases: CVE-2026-40169 GHSA-5592-p365-24xh |
ImageMagick: Magick.NET: ImageMagick: Denial of Service via crafted image leading to out-of-bounds write |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-6v1d-1wfr-vqd1
Aliases: CVE-2026-40311 GHSA-r83h-crwp-3vm7 |
ImageMagick: Magick.NET: ImageMagick: Denial of Service via heap use-after-free in XMP profile processing |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-7gb9-gd78-7bdu
Aliases: CVE-2026-33901 GHSA-x9h5-r9v2-vcww |
ImageMagick: Magick.NET: ImageMagick: Denial of Service due to heap buffer overflow in MVG decoder |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-a2qm-vkc3-qkd5
Aliases: CVE-2025-55160 GHSA-6hgw-6x87-578x |
ImageMagick has Undefined Behavior (function-type-mismatch) in CloneSplayTree ## Summary - **Target:** ImageMagick (commit `ecc9a5eb456747374bae8e07038ba10b3d8821b3`) - **Type:** Undefined Behavior (function-type-mismatch) in splay tree cloning callback - **Impact:** Deterministic abort under UBSan (DoS in sanitizer builds). No crash in a non-sanitized build; likely low security impact. - **Trigger:** Minimal **2-byte** input parsed via MagickWand, then coalescing. ## Environment OS: macOS (Apple Silicon/arm64) Homebrew clang version 20.1.8 Target: arm64-apple-darwin24.5.0 Thread model: posix InstalledDir: /opt/homebrew/Cellar/llvm/20.1.8/bin Configuration file: /opt/homebrew/etc/clang/arm64-apple-darwin24.cfg Homebrew ImageMagick: `magick -version` → `ImageMagick 7.1.2-0 Q16-HDRI aarch64` pkg-config: `MagickWand-7.Q16HDRI` version `7.1.2` Library configure flags (capsule build): ./configure --disable-shared --enable-static --without-modules --without-magick-plus-plus --disable-openmp --without-perl --without-x --with-png=yes --without-jpeg --without-tiff --without-xml --without-lqr --without-gslib Harness compile flags: -fsanitize=fuzzer,address,undefined -fno-omit-frame-pointer pkg-config cflags/libs supplied: -I<...>/include/ImageMagick-7 -DMAGICKCORE_HDRI_ENABLE=1 -DMAGICKCORE_QUANTUM_DEPTH=16 -DMAGICKCORE_CHANNEL_MASK_DEPTH=32 and linked against MagickWand-7.Q16HDRI and MagickCore-7.Q16HDRI Sanitizer runtime: ASan+UBSan defaults. Repro also with `UBSAN_OPTIONS=print_stacktrace=1:halt_on_error=1` ## PoC - **Bytes (hex):** `1c 02` - **Base64:** `HAI=` - **sha256 (optional):** <fill in> ## Reproduction Create PoC: `printf '\x1c\x02' > poc.bin` Option A: libFuzzer harness - Run once: `./harness_ImageMagick_... -runs=1 ./poc.bin` - Expected: UBSan aborts with function-type-mismatch at `MagickCore/splay-tree.c:372:43`. Option B: standalone reproducer (C) - Compile (ensure `PKG_CONFIG_PATH` points to your ImageMagick if needed): /opt/homebrew/opt/llvm/bin/clang -g -O1 -fsanitize=address,undefined $(/opt/homebrew/bin/pkg-config --cflags MagickWand-7.Q16HDRI) repro.c -o repro $(/opt/homebrew/bin/pkg-config --libs MagickWand-7.Q16HDRI) - Run: UBSAN_OPTIONS=print_stacktrace=1:halt_on_error=1 ./repro ./poc.bin Observed output (excerpt) MagickCore/splay-tree.c:372:43: runtime error: call to function ConstantString through pointer to incorrect function type 'void *(*)(void *)' string.c:680: note: ConstantString defined here #0 CloneSplayTree splay-tree.c:372 #1 CloneImageProfiles profile.c:159 #2 CloneImage image.c:832 #3 CoalesceImages layer.c:269 #4 MagickCoalesceImages magick-image.c:1665 #5 main repro.c:XX Root cause The splay tree clone callback expects a function pointer of type `void *(*)(void *)`. ConstantString has a different signature (`char *ConstantString(const char *)`). Calling through the mismatched function type is undefined behavior in C and triggers UBSan’s function-type-mismatch. The path is exercised during coalescing: CloneImage → CloneImageProfiles → CloneSplayTree. Scope Reproduces with a minimal, sanitizer-instrumented, PNG-enabled build and delegates disabled (policy.xml), suggesting the issue is in MagickCore rather than external delegates. Suggested fix (sketch) Use a wrapper that matches the expected callback prototype, or adjust the splay-tree callback typedef for const-correctness. For example: static void *CloneStringShim(const void *p) { return (void *) ConstantString((const char *) p); } /* When setting splay-tree clone_value, use CloneStringShim instead of ConstantString. */ Alternatively, update the clone callback typedefs to use const void* consistently (and return void*) and ensure callers pass a correctly typed wrapper. Artifacts Minimised PoC: attached (poc.bin, 2 bytes; base64 HAI=) Harness source and exact build command (attached) Full UBSan trace (attached) Commit SHA and configure flags (above) Credits Discovered by: Lumina Mescuwa Method: libFuzzer + UBSan Verification - UBSan build: Reproduces with `halt_on_error=1`; aborts at `MagickCore/splay-tree.c:372`. - Non-sanitized Homebrew build (macOS arm64, clang 20.1.8): No crash; repro completes silently. |
Affected by 0 other vulnerabilities. |
|
VCID-eeju-vhdm-aqbe
Aliases: CVE-2026-33900 GHSA-v67w-737x-v2c9 |
ImageMagick: Magick.NET: ImageMagick: Denial of Service via integer truncation in viff encoder |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-egwu-28fp-dye6
Aliases: CVE-2026-33905 GHSA-pcvx-ph33-r5vv |
ImageMagick: ImageMagick: Denial of service via out-of-bounds read in -sample operation |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-j6tc-f4fc-mbcv
Aliases: CVE-2026-33902 GHSA-f4qm-vj5j-9xpw |
ImageMagick: ImageMagick: Denial of Service via deeply nested expression in FX parser |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-jc5m-7rvc-2qg6
Aliases: CVE-2026-32636 GHSA-gc62-2v5p-qpmp |
ImageMagick has a heap-buffer-overflow in NewXMLTree which could result in crash The NewXMLTree method contains a bug that could result in a crash due to an out of write bounds of a single zero byte. |
Affected by 0 other vulnerabilities. |
|
VCID-qjxn-gm96-7ygc
Aliases: CVE-2026-34238 GHSA-26qp-ffjh-2x4v |
ImageMagick: Magick.NET: ImageMagick: Denial of Service via integer overflow in despeckle operation |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-tt6z-t31v-dkdd
Aliases: CVE-2026-33536 GHSA-8793-7xv6-82cf |
ImageMagick has an Out-of-bounds Write via InterpretImageFilename Due to an incorrect return value on certain platforms a pointer is incremented past the end of a buffer that is on the stack and that could result in an out of bounds write. ``` ================================================================= ==48558==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x00016b9b7490 at pc 0x0001046d48ac bp 0x00016b9b31d0 sp 0x00016b9b31c8 WRITE of size 1 at 0x00016b9b7490 thread T0 ``` |
Affected by 0 other vulnerabilities. |
|
VCID-uvkp-1zss-57gr
Aliases: CVE-2026-33908 GHSA-fwvm-ggf6-2p4x |
ImageMagick: Magick.NET: ImageMagick: Denial of Service via deeply nested XML file processing |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-w9zg-tsbg-afa1
Aliases: CVE-2026-33899 GHSA-cr67-pvmx-2pp2 |
ImageMagick: Magick.NET: ImageMagick: Denial of Service via out-of-bounds write in XML parsing |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-zvq4-ybph-buga
Aliases: CVE-2026-33535 GHSA-mw3m-pqr2-qv7c |
ImageMagick has an Out-of-Bounds write of a zero byte in its X11 display interaction An out-of-bounds write of a zero byte exists in the X11 `display` interaction path that could lead to a crash. |
Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2026-04-19T05:53:07.564369+00:00 | Debian Importer | Affected by | VCID-j6tc-f4fc-mbcv | https://security-tracker.debian.org/tracker/data/json | 38.4.0 |
| 2026-04-19T05:11:45.531068+00:00 | Debian Importer | Affected by | VCID-4s37-h3p7-6uab | https://security-tracker.debian.org/tracker/data/json | 38.4.0 |
| 2026-04-19T05:08:25.176141+00:00 | Debian Importer | Affected by | VCID-egwu-28fp-dye6 | https://security-tracker.debian.org/tracker/data/json | 38.4.0 |
| 2026-04-19T04:27:59.945757+00:00 | Debian Importer | Affected by | VCID-w9zg-tsbg-afa1 | https://security-tracker.debian.org/tracker/data/json | 38.4.0 |
| 2026-04-19T04:05:17.041793+00:00 | Debian Importer | Affected by | VCID-2yv5-qdeg-9bag | https://security-tracker.debian.org/tracker/data/json | 38.4.0 |
| 2026-04-19T04:02:08.880891+00:00 | Debian Importer | Affected by | VCID-7gb9-gd78-7bdu | https://security-tracker.debian.org/tracker/data/json | 38.4.0 |
| 2026-04-19T04:01:03.010856+00:00 | Debian Importer | Affected by | VCID-381g-7gdr-qydg | https://security-tracker.debian.org/tracker/data/json | 38.4.0 |
| 2026-04-19T03:13:50.150721+00:00 | Debian Importer | Affected by | VCID-441f-z9bp-vbdu | https://security-tracker.debian.org/tracker/data/json | 38.4.0 |
| 2026-04-19T03:10:52.497133+00:00 | Debian Importer | Affected by | VCID-uvkp-1zss-57gr | https://security-tracker.debian.org/tracker/data/json | 38.4.0 |
| 2026-04-19T02:17:51.495483+00:00 | Debian Importer | Affected by | VCID-eeju-vhdm-aqbe | https://security-tracker.debian.org/tracker/data/json | 38.4.0 |
| 2026-04-19T01:29:38.142559+00:00 | Debian Importer | Affected by | VCID-qjxn-gm96-7ygc | https://security-tracker.debian.org/tracker/data/json | 38.4.0 |
| 2026-04-19T01:12:02.884057+00:00 | Debian Importer | Affected by | VCID-6v1d-1wfr-vqd1 | https://security-tracker.debian.org/tracker/data/json | 38.4.0 |
| 2026-04-16T12:33:00.635058+00:00 | Debian Importer | Affected by | VCID-jc5m-7rvc-2qg6 | https://security-tracker.debian.org/tracker/data/json | 38.4.0 |
| 2026-04-16T10:36:57.821774+00:00 | Debian Importer | Affected by | VCID-zvq4-ybph-buga | https://security-tracker.debian.org/tracker/data/json | 38.4.0 |
| 2026-04-16T10:26:28.106165+00:00 | Debian Importer | Affected by | VCID-a2qm-vkc3-qkd5 | https://security-tracker.debian.org/tracker/data/json | 38.4.0 |
| 2026-04-16T09:50:32.612704+00:00 | Debian Importer | Affected by | VCID-tt6z-t31v-dkdd | https://security-tracker.debian.org/tracker/data/json | 38.4.0 |
| 2026-04-13T08:35:43.395566+00:00 | Debian Importer | Affected by | VCID-jc5m-7rvc-2qg6 | https://security-tracker.debian.org/tracker/data/json | 38.3.0 |
| 2026-04-13T07:10:28.814331+00:00 | Debian Importer | Affected by | VCID-zvq4-ybph-buga | https://security-tracker.debian.org/tracker/data/json | 38.3.0 |
| 2026-04-13T07:02:35.240489+00:00 | Debian Importer | Affected by | VCID-a2qm-vkc3-qkd5 | https://security-tracker.debian.org/tracker/data/json | 38.3.0 |
| 2026-04-13T06:34:45.062621+00:00 | Debian Importer | Affected by | VCID-tt6z-t31v-dkdd | https://security-tracker.debian.org/tracker/data/json | 38.3.0 |
| 2026-04-08T19:43:26.474055+00:00 | Debian Importer | Affected by | VCID-jc5m-7rvc-2qg6 | https://security-tracker.debian.org/tracker/data/json | 38.1.0 |
| 2026-04-08T18:45:55.847797+00:00 | Debian Importer | Affected by | VCID-zvq4-ybph-buga | https://security-tracker.debian.org/tracker/data/json | 38.1.0 |
| 2026-04-08T18:40:47.342106+00:00 | Debian Importer | Affected by | VCID-a2qm-vkc3-qkd5 | https://security-tracker.debian.org/tracker/data/json | 38.1.0 |
| 2026-04-08T18:22:23.363593+00:00 | Debian Importer | Affected by | VCID-tt6z-t31v-dkdd | https://security-tracker.debian.org/tracker/data/json | 38.1.0 |