Search for packages
| purl | pkg:nuget/Magick.NET-Q8-arm64@14.10.3 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-1cpn-zvem-v7gt
Aliases: CVE-2026-28691 GHSA-wj8w-pjxf-9g4f |
ImageMagick has uninitialized pointer dereference in JBIG decoder An uninitialized pointer dereference vulnerability exists in the JBIG decoder due to a missing check. |
Affected by 1 other vulnerability. |
|
VCID-2zje-ag2v-7kac
Aliases: CVE-2026-30937 GHSA-qpg4-j99f-8xcg |
ImageMagick has heap buffer overflow in WriteXWDImage due to CARD32 arithmetic overflow in bytes_per_line calculation A 32-bit unsigned integer overflow in the XWD (X Windows) encoder can cause an undersized heap buffer allocation. When writing a extremely large image an out of bounds heap write can occur. ``` ================================================================= ==741961==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x5020000083dc at pc 0x56553b4c4245 bp 0x7ffd9d20fef0 sp 0x7ffd9d20fee0 WRITE of size 1 at 0x5020000083dc thread T0 ``` |
Affected by 1 other vulnerability. |
|
VCID-54da-fzyt-4ud2
Aliases: CVE-2026-28690 GHSA-7h7q-j33q-hvpf |
ImageMagick has stack write buffer overflow in MNG encoder A stack buffer overflow vulnerability exists in the MNG encoder. There is a bounds checks missing that could corrupting the stack with attacker-controlled data. ``` ==2265506==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffec4971310 at pc 0x55e671b8a072 bp 0x7ffec4970f70 sp 0x7ffec4970f68 WRITE of size 1 at 0x7ffec4971310 thread T0 ``` |
Affected by 1 other vulnerability. |
|
VCID-6h7x-3rue-kucp
Aliases: CVE-2026-28692 GHSA-mrmj-x24c-wwcv |
ImageMagick has a heap buffer over-read via 32-bit integer overflow in MAT decoder In MAT decoder uses 32-bit arithmetic due to incorrect parenthesization resulting in a heap over-read. ``` ================================================================= ==969652==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x506000003b40 at pc 0x555557b2a926 bp 0x7fffffff4c80 sp 0x7fffffff4c70 READ of size 8 at 0x506000003b40 thread T0 ``` |
Affected by 1 other vulnerability. |
|
VCID-bw4q-dt1r-y3e4
Aliases: CVE-2026-30931 GHSA-h95r-c8c7-mrwx |
ImageMagick has heap-based buffer overflow in UHDR encoder A heap-based buffer overflow in the UHDR encoder can happen due to truncation of a value and it would allow an out of bounds write. ``` ================================================================ ==2158399==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x521000039500 at pc 0x562a4a42f968 bp 0x7ffcca4ed6c0 sp 0x7ffcca4ed6b0 WRITE of size 1 at 0x521000039500 thread T0 ``` |
Affected by 1 other vulnerability. |
|
VCID-cuhw-ew1g-s3h2
Aliases: CVE-2026-28687 GHSA-fpvf-frm6-625q |
ImageMagick has Heap Use-After-Free in ImageMagick MSL decoder A heap use-after-free vulnerability in ImageMagick's MSL decoder allows an attacker to trigger access to freed memory by crafting an MSL file. ``` ================================================================= ==1500633==ERROR: AddressSanitizer: heap-use-after-free on address 0x527000011550 at pc 0x5612583fa212 bp 0x7ffedb86d160 sp 0x7ffedb86d150 READ of size 8 at 0x527000011550 thread T0 ``` |
Affected by 1 other vulnerability. |
|
VCID-dabd-m3mf-3ker
Aliases: CVE-2026-30935 GHSA-cqw9-w2m7-r2m2 |
ImageMagick has Heap Buffer Over-Read in BilateralBlurImage BilateralBlurImage contains a heap buffer over-read caused by an incorrect conversion. When processing a crafted image with the `-bilateral-blur` operation an out of bounds read can occur. ``` ================================================================= ==676172==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x50a0000079c0 at pc 0x57b483c722f7 bp 0x7fffc0acd380 sp 0x7fffc0acd370 READ of size 4 at 0x50a0000079c0 thread T0 ``` |
Affected by 1 other vulnerability. |
|
VCID-g41y-dv8u-3yf1
Aliases: CVE-2026-30936 GHSA-5ggv-92r5-cp4p |
ImageMagick has Heap Buffer Overflow in WaveletDenoiseImage A crafted image could cause an out of bounds heap write inside the WaveletDenoiseImage method. When processing a crafted image with the -wavelet-denoise operation an out of bounds write can occur. ``` ================================================================= ==661320==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x503000002754 at pc 0x5ff45f82c92a bp 0x7fffb732b400 sp 0x7fffb732b3f0 WRITE of size 4 at 0x503000002754 thread T0 ``` |
Affected by 1 other vulnerability. |
|
VCID-jc5m-7rvc-2qg6
Aliases: CVE-2026-32636 GHSA-gc62-2v5p-qpmp |
ImageMagick has a heap-buffer-overflow in NewXMLTree which could result in crash The NewXMLTree method contains a bug that could result in a crash due to an out of write bounds of a single zero byte. |
Affected by 0 other vulnerabilities. |
|
VCID-n47w-r932-abey
Aliases: CVE-2026-30883 GHSA-qmw5-2p58-xvrc |
ImageMagick is vulnerable to Heap Overflow when writing extremely large image profile in the PNG encoder An extremely large image profile could result in a heap overflow when encoding a PNG image. |
Affected by 1 other vulnerability. |
|
VCID-r3vw-ncns-cqgb
Aliases: CVE-2026-31853 GHSA-56jp-jfqg-f8f4 |
ImageMagick is vulnerable to heap buffer over-write on 32-bit systems in SFW decoder An overflow on 32-bit systems can cause a crash in the SFW decoder when processing extremely large images. |
Affected by 1 other vulnerability. |
|
VCID-rbdg-vz8x-ykah
Aliases: CVE-2026-28688 GHSA-xxw5-m53x-j38c |
ImageMagick has heap use-after-free in the MSL encoder A heap-use-after-free vulnerability exists in the MSL encoder, where a cloned image is destroyed twice. The MSL coder does not support writing MSL so the write capability has been removed. ``` SUMMARY: AddressSanitizer: heap-use-after-free MagickCore/image.c:1195 in DestroyImage Shadow bytes around the buggy address: 0x0a4e80007450: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0a4e80007460: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0a4e80007470: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0a4e80007480: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0a4e80007490: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd =>0x0a4e800074a0: fd fd fd fd fd fd fd fd fd fd[fd]fd fd fd fd fd 0x0a4e800074b0: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa 0x0a4e800074c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0a4e800074d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0a4e800074e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0a4e800074f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa ``` |
Affected by 1 other vulnerability. |
|
VCID-rj9n-ra1t-77dy
Aliases: CVE-2026-30929 GHSA-rqq8-jh93-f4vg |
ImageMagick has stack buffer overflow in MagnifyImage MagnifyImage uses a fixed-size stack buffer. When using a specific image it is possible to overflow this buffer and corrupt the stack. |
Affected by 1 other vulnerability. |
|
VCID-rjkf-pdny-2fhn
Aliases: CVE-2026-28494 GHSA-932h-jw47-73jm |
ImageMagick vulnerable to stack corruption through long morphology kernel names or arrays A stack buffer overflow exists in ImageMagick's morphology kernel parsing functions. User-controlled kernel strings exceeding a buffer are copied into fixed-size stack buffers via memcpy without bounds checking, resulting in stack corruption. |
Affected by 1 other vulnerability. |
|
VCID-sw7g-hxxr-n3e1
Aliases: CVE-2026-28689 GHSA-493f-jh8w-qhx3 |
ImageMagick has a Path Policy TOCTOU symlink race bypass `domain="path"` authorization is checked before final file open/use. A symlink swap between check-time and use-time bypasses policy-denied read/write. |
Affected by 1 other vulnerability. |
|
VCID-x8c6-9pse-xkc8
Aliases: CVE-2026-28693 GHSA-hffp-q43q-qq76 |
ImageMagick: Integer overflow in DIB coder can result in out of bounds read or write An integer overflow in DIB coder can result in out of bounds read or write |
Affected by 1 other vulnerability. |
|
VCID-y58b-be93-hbfd
Aliases: CVE-2026-28686 GHSA-467j-76j7-5885 |
ImageMagick: Write heap-buffer-overflow in PCL encoder via undersized output buffer A heap-buffer-overflow vulnerability exists in the PCL encode due to an undersized output buffer allocation. ``` WRITE of size 1 at 0x7e79f91f31a0 thread T0 ``` |
Affected by 1 other vulnerability. |
|
VCID-zpcy-nms7-kuha
Aliases: CVE-2026-28493 GHSA-r39q-jr8h-gcq2 |
ImageMagick has Integer Overflow leading to out of bounds write in SIXEL decoder An integer overflow vulnerability exists in the SIXEL decoer. The vulnerability allows an attacker to perform an out of bounds via a specially crafted mage. |
Affected by 1 other vulnerability. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-15ny-qqbj-qyfk | ImageMagick has infinite loop when writing IPTCTEXT leads to denial of service via crafted profile A crafted profile contain invalid IPTC data may cause an infinite loop when writing it with `IPTCTEXT`. |
CVE-2026-26066
GHSA-v994-63cg-9wj3 |
| VCID-29r3-kvf4-n3hc | ImageMagick: Heap Buffer Over-read in WaveletDenoise when processing small images A heap buffer over-read vulnerability occurs when processing an image with small dimension using the `-wavelet-denoise` operator. ``` ==3693336==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x511000001280 at pc 0x5602c8b0cc75 bp 0x7ffcb105d510 sp 0x7ffcb105d500 READ of size 4 at 0x511000001280 thread T0 ``` |
CVE-2026-27798
GHSA-qpgx-jfcq-r59f |
| VCID-5uyd-bv33-h7g1 | ImageMagick: Heap overflow in sun decoder on 32-bit systems may result in out of bounds write An Integer Overflow vulnerability exists in the sun decoder. On 32-bit systems/builds, a carefully crafted image can lead to an out of bounds heap write. ``` ================================================================= ==1967675==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf190b50e at pc 0x5eae8777 bp 0xffb0fdd8 sp 0xffb0fdd0 WRITE of size 1 at 0xf190b50e thread T0 ``` |
CVE-2026-25897
GHSA-6j5f-24fw-pqp4 |
| VCID-5xqd-gf3b-4ygw | ImageMagick's Security Policy Bypass through config/policy-secure.xml via "fd handler" leads to stdin/stdout access The shipped “secure” security policy includes a rule intended to prevent reading/writing from standard streams: ```xml <policy domain="path" rights="none" pattern="-"/> ``` However, ImageMagick also supports fd:<n> pseudo-filenames (e.g., fd:0, fd:1). This path form is not blocked by the secure policy templates, and therefore bypasses the protection goal of “no stdin/stdout”. To resolve this, users can add the following change to their security policy. ```xml <policy domain="path" rights="none" pattern="fd:*"/> ``` And this will also be included in ImageMagick's more secure policies by default. |
CVE-2026-25966
GHSA-xwc6-v6g8-pw2h |
| VCID-5zkt-kcgx-a3e2 | ImageMagick Has Signed Integer Overflow in SIXEL Decoder, Leading to Memory Corruption A signed integer overflow vulnerability in ImageMagick's SIXEL decoder allows an attacker to trigger memory corruption and denial of service when processing a maliciously crafted SIXEL image file. The vulnerability occurs during buffer reallocation operations where pointer arithmetic using signed 32-bit integers overflows. ``` AddressSanitizer:DEADLYSIGNAL ================================================================= ==143838==ERROR: AddressSanitizer: UNKNOWN SIGNAL on unknown address 0x000000000000 #0 0x7f379d5adb53 (/lib/x86_64-linux-gnu/libc.so.6+0xc4b53) ``` |
CVE-2026-25970
GHSA-xg29-8ghv-v4xr |
| VCID-62ar-kwbq-nyh3 | ImageMagick has memory leak in msl encoder Memory leak exists in `coders/msl.c`. In the `WriteMSLImage` function of the `msl.c` file, resources are allocated. But the function returns early without releasing these allocated resources. ``` ==78983== Memcheck, a memory error detector ==78983== Copyright (C) 2002-2022, and GNU GPL'd, by Julian Seward et al. ==78983== Using Valgrind-3.22.0 and LibVEX; rerun with -h for copyright info ==78983== ==78983== 177,196 (13,512 direct, 163,684 indirect) bytes in 1 blocks are definitely lost in loss record 21 of 21 ==78983== at 0x4846828: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so) ``` |
CVE-2026-25638
GHSA-gxcx-qjqp-8vjw |
| VCID-69f6-ceje-hyah | ImageMagick: Malicious PCD files trigger 1‑byte heap Out-of-bounds Read and DoS The PCD coder’s DecodeImage loop allows a crafted PCD file to trigger a 1‑byte heap out-of-bounds read when decoding an image (Denial of service) and potential disclosure of adjacent heap byte. |
GHSA-wgxp-q8xq-wpp9
|
| VCID-6rma-wjdv-uqe9 | mageMagick has a possible use-after-free write in its PDB decoder A use-after-free vulnerability exists in the PDB decoder that will use a stale pointer when a memory allocation fails and that could result in a crash or a single zero byte write. ``` ==4033155==ERROR: AddressSanitizer: UNKNOWN SIGNAL on unknown address 0x000000000000 (pc 0x5589c1971b24 bp 0x7ffdcc7ae2d0 sp 0x7ffdcc7adb20 T0) ``` ``` ==4034812==ERROR: AddressSanitizer: heap-use-after-free on address 0x7f099e9f7800 at pc 0x5605d909ab20 bp 0x7ffe52045b50 sp 0x7ffe52045b40 WRITE of size 1 at 0x7f099e9f7800 thread T0 ``` |
GHSA-3j4x-rwrx-xxj9
|
| VCID-6ztv-auh8-27gx | ImageMagick: Memory Leak in multiple coders that write raw pixel data A memory leak vulnerability exists in multiple coders that write raw pixel data where an object is not freed. ``` Direct leak of 160 byte(s) in 1 object(s) allocated from: ``` |
GHSA-wfx3-6g53-9fgc
|
| VCID-acsa-1uwk-fqee | ImageMagick has Possible Heap Information Disclosure in PSD ZIP Decompression ### Description A heap information disclosure vulnerability exists in ImageMagick's PSD (Adobe Photoshop) format handler. When processing a maliciously crafted PSD file containing ZIP-compressed layer data that decompresses to less than the expected size, uninitialized heap memory is leaked into the output image. ### Expected Impact Information disclosure leading to potential exposure of sensitive data from server memory. |
CVE-2026-24481
GHSA-96pc-27rx-pr36 |
| VCID-anyp-2jr7-73a1 | ImageMagick has a possible heap Use After Free vulnerability in its meta coder A heap Use After Free vulnerability exists in the meta coder when an allocation fails and a single byte is written to a stale pointer. ``` ==535852==ERROR: AddressSanitizer: heap-use-after-free on address 0x5210000088ff at pc 0x5581bacac14d bp 0x7ffdf667edf0 sp 0x7ffdf667ede0 WRITE of size 1 at 0x5210000088ff thread T0 ``` |
GHSA-2gq3-ww97-wfjm
|
| VCID-b5pd-kk97-gban | ImageMagick: Converting multi-layer nested MVG to SVG can cause DoS Magick fails to check for multi-layer nested mvg conversions to svg, leading to DoS. |
CVE-2026-24484
GHSA-wg3g-gvx5-2pmv |
| VCID-bd1g-sfsp-37h7 | ImageMagick: Stack buffer overflow in FTXT reader via oversized integer field ### Summary A stack-based buffer overflow exists in the ImageMagick FTXT image reader. A crafted FTXT file can cause out-of-bounds writes on the stack, leading to a crash. ``` ================================================================= ==3537074==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffee4850ef0 at pc 0x5607c408fb33 bp 0x7ffee484fe50 sp 0x7ffee484fe40 WRITE of size 1 at 0x7ffee4850ef0 thread T0 ``` |
CVE-2026-25967
GHSA-72hf-fj62-w6j4 |
| VCID-cbqr-aybx-d3e6 | ImageMagick has Use After Free in MSLStartElement in "coders/msl.c" A crafted MSL script triggers a heap-use-after-free. The operation element handler replaces and frees the image while the parser continues reading from it, leading to a UAF in ReadBlobString during further parsing. |
CVE-2026-25983
GHSA-fwqw-2x5x-w566 |
| VCID-d8yf-8rff-3yhf | ImageMagick has a possible infinite loop in its JPEG encoder when using `jpeg:extent` A `continue` statement in the JPEG extent binary search loop in the jpeg encoder causes an infinite loop when writing persistently fails. An attacker can trigger a 100% CPU consumption and process hang (Denial of Service) with a crafted image. |
CVE-2026-26283
GHSA-gwr3-x37h-h84v |
| VCID-dtza-65ku-aber | ImageMagick has NULL pointer dereference in ReadSFWImage after DestroyImageInfo (sfw.c) In `ReadSFWImage()` (`coders/sfw.c`), when temporary file creation fails, `read_info` is destroyed before its `filename` member is accessed, causing a NULL pointer dereference and crash. ``` AddressSanitizer:DEADLYSIGNAL ================================================================= ==1414421==ERROR: AddressSanitizer: UNKNOWN SIGNAL on unknown address 0x000000000000 (pc 0x56260222912f bp 0x7ffec0a193b0 sp 0x7ffec0a19360 T0) #0 0x56260222912f (/data/ylwang/LargeScan/targets/ImageMagick/utilities/magick+0x235f12f) ``` |
CVE-2026-25795
GHSA-p33r-fqw2-rqmm |
| VCID-emmr-15qp-vfah | ImageMagick has Global Buffer Overflow (OOB Read) via Negative Pixel Index in UIL and XPM Writer The UIL and XPM image encoder do not validate the pixel index value returned by `GetPixelIndex()` before using it as an array subscript. In HDRI builds, `Quantum` is a floating-point type, so pixel index values can be negative. An attacker can craft an image with negative pixel index values to trigger a global buffer overflow read during conversion, leading to information disclosure or a process crash. ``` READ of size 1 at 0x55a8823a776e thread T0 #0 0x55a880d01e85 in WriteUILImage coders/uil.c:355 ``` ``` READ of size 1 at 0x55fa1c04c66e thread T0 #0 0x55fa1a9ee415 in WriteXPMImage coders/xpm.c:1135 ``` |
CVE-2026-25898
GHSA-vpxv-r9pg-7gpr |
| VCID-f1zu-xb4j-8qhp | ImageMagick has a heap buffer over-read in its MAP image decoder A heap buffer over-read vulnerability exists in the MAP image decoder when processing crafted MAP files, potentially leading to crashes or unintended memory disclosure during image decoding. ``` ================================================================= ==4070926==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x502000002b31 at pc 0x56517afbd910 bp 0x7ffc59e90000 sp 0x7ffc59e8fff0 READ of size 1 at 0x502000002b31 thread T0 ``` |
CVE-2026-25987
GHSA-42p5-62qq-mmh7 |
| VCID-fnck-7mvx-hqc9 | ImageMagick has a heap Buffer Over-read in its DJVU image format handler A heap Buffer Over-read vulnerability exists in the DJVU image format handler. The vulnerability occurs due to integer truncation when calculating the stride (row size) for pixel buffer allocation. The stride calculation overflows a 32-bit signed integer, resulting in an out-of-bounds memory reads. |
CVE-2026-27799
GHSA-r99p-5442-q2x2 |
| VCID-gdg8-aejn-83c4 | ImageMagick: Policy bypass through path traversal allows reading restricted content despite secured policy ImageMagick’s path security policy is enforced on the raw filename string before the filesystem resolves it. As a result, a policy rule such as /etc/* can be bypassed by a path traversal. The OS resolves the traversal and opens the sensitive file, but the policy matcher only sees the unnormalized path and therefore allows the read. This enables local file disclosure (LFI) even when policy-secure.xml is applied. Actions to prevent reading from files have been taken. But it make sure writing is also not possible the following should be added to your policy: ``` <policy domain="path" rights="none" pattern="*../*"/> ``` And this will also be included in the project's more secure policies by default. |
CVE-2026-25965
GHSA-8jvj-p28h-9gm7 |
| VCID-jcjk-s89c-mbbm | ImageMagick: Invalid MSL <map> can result in a use after free The MSL interpreter crashes when processing a invalid `<map>` element that causes it to use an image after it has been freed. |
CVE-2026-26983
GHSA-w8mw-frc6-r7m8 |
| VCID-jvq6-xjbu-fkb9 | ImageMagick: Infinite loop vulnerability when parsing a PCD file When a PCD file does not contain a valid marker, the DecodeImage() function becomes trapped in an infinite loop while searching for the marker, causing the program to become unresponsive and continuously consume CPU resources, ultimately leading to system resource exhaustion and denial of service. |
CVE-2026-24485
GHSA-pqgj-2p96-rx85 |
| VCID-kdw5-8y5z-zya5 | ImageMagick: Possible memory leak in ASHLAR encoder A memory leak in the ASHLAR image writer allows an attacker to exhaust process memory by providing a crafted image that results in small objects that are allocated but never freed. ``` ==880062== Memcheck, a memory error detector ==880062== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al. ==880062== Using Valgrind-3.18.1 and LibVEX; rerun with -h for copyright info ==880062== ==880062== ==880062== HEAP SUMMARY: ==880062== in use at exit: 386,826 bytes in 696 blocks ==880062== total heap usage: 30,523 allocs, 29,827 frees, 21,803,756 bytes allocated ==880062== ==880062== LEAK SUMMARY: ==880062== definitely lost: 3,408 bytes in 3 blocks ==880062== indirectly lost: 88,885 bytes in 30 blocks ==880062== possibly lost: 140,944 bytes in 383 blocks ==880062== still reachable: 151,573 bytes in 259 blocks ==880062== suppressed: 0 bytes in 0 blocks ==880062== Reachable blocks (those to which a pointer was found) are not shown. ==880062== To see them, rerun with: --leak-check=full --show-leak-kinds=all ==880062== ==880062== For lists of detected and suppressed errors, rerun with: -s ==880062== ERROR SUMMARY: 2 errors from 2 contexts (suppressed: 0 from 0) ``` |
CVE-2026-25637
GHSA-gm37-qx7w-p258 |
| VCID-kefv-kpkk-wudf | ImageMagick has Division-by-Zero in YUV sampling factor validation, which leads to crash A logic error in YUV sampling factor validation allows an invalid sampling factor to bypass checks and trigger a division-by-zero during image loading, resulting in a reliable denial-of-service. ``` coders/yuv.c:210:47: runtime error: division by zero AddressSanitizer:DEADLYSIGNAL ================================================================= ==3543373==ERROR: AddressSanitizer: UNKNOWN SIGNAL on unknown address 0x000000000000 (pc 0x55deeb4d723c bp 0x7fffc28d34d0 sp 0x7fffc28d3320 T0) #0 0x55deeb4d723c in ReadYUVImage coders/yuv.c:210 #1 0x55deeb751dff in ReadImage MagickCore/constitute.c:743 #2 0x55deeb756374 in ReadImages MagickCore/constitute.c:1082 #3 0x55deec682375 in CLINoImageOperator MagickWand/operation.c:4959 #4 0x55deec6887ed in CLIOption MagickWand/operation.c:5473 #5 0x55deec32843b in ProcessCommandOptions MagickWand/magick-cli.c:653 #6 0x55deec32b99b in MagickImageCommand MagickWand/magick-cli.c:1392 #7 0x55deec324d58 in MagickCommandGenesis MagickWand/magick-cli.c:177 #8 0x55deead82519 in MagickMain utilities/magick.c:162 #9 0x55deead828be in main utilities/magick.c:193 #10 0x7fb90807fd8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 #11 0x7fb90807fe3f in __libc_start_main_impl ../csu/libc-start.c:392 #12 0x55deead81974 in _start (/data/ylwang/LargeScan/targets/ImageMagick/utilities/magick+0x22fb974) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: UNKNOWN SIGNAL coders/yuv.c:210 in ReadYUVImage ==3543373==ABORTING ``` |
CVE-2026-25799
GHSA-543g-8grm-9cw6 |
| VCID-mntx-6yku-3qcx | ImageMagick: SVG-to-MVG Command Injection via coders/svg.c An attacker can inject arbitrary MVG (Magick Vector Graphics) drawing commands in an SVG file that is read by the internal SVG decoder of ImageMagick. The injected MVG commands execute during rendering. |
GHSA-xpg8-7m6m-jf56
|
| VCID-p5aw-n691-nkff | ImageMagick: MSL image stack index may fail to refresh, leading to leaked images Sometimes msl.c fails to update the stack index, so an image is stored in the wrong slot and never freed on error, causing leaks. ``` ==841485==ERROR: LeakSanitizer: detected memory leaks Direct leak of 13512 byte(s) in 1 object(s) allocated from: #0 0x7ff330759887 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145 ``` |
CVE-2026-25988
GHSA-782x-jh29-9mf7 |
| VCID-pcme-bwan-3bcf | ImageMagick has NULL Pointer Dereference in ClonePixelCacheRepository via crafted image A NULL pointer dereference in ClonePixelCacheRepository allows a remote attacker to crash any application linked against ImageMagick by supplying a crafted image file, resulting in Denial of Service. ``` AddressSanitizer:DEADLYSIGNAL ================================================================= ==3704942==ERROR: AddressSanitizer: UNKNOWN SIGNAL on unknown address 0x000000000000 (pc 0x7f9d141239e0 bp 0x7ffd4c5711e0 sp 0x7ffd4c571148 T0) #0 0x7f9d141239e0 (/lib/x86_64-linux-gnu/libc.so.6+0xc49e0) #1 0x558a25e4f08d in ClonePixelCacheRepository._omp_fn.0 MagickCore/cache.c:784 #2 0x7f9d14c06a15 in GOMP_parallel (/lib/x86_64-linux-gnu/libgomp.so.1+0x14a15) #3 0x558a25e43151 in ClonePixelCacheRepository MagickCore/cache.c:753 #4 0x558a25e49a96 in OpenPixelCache MagickCore/cache.c:3849 #5 0x558a25e45117 in GetImagePixelCache MagickCore/cache.c:1829 #6 0x558a25e4dde3 in SyncImagePixelCache MagickCore/cache.c:5647 #7 0x558a256ba57d in SetImageExtent MagickCore/image.c:2713 ``` |
CVE-2026-25798
GHSA-p863-5fgm-rgq4 |
| VCID-sd54-b8z1-2fg7 | ImageMagick: Integer overflow or wraparound and incorrect conversion between numeric types in the internal SVG decoder A crafted SVG file can cause a denial of service. An off-by-one boundary check (`>` instead of `>=`) that allows bypass the guard and reach an undefined `(size_t)` cast. |
CVE-2026-25989
GHSA-7355-pwx2-pm84 |
| VCID-sd7w-6qv5-73ge | ImageMagick: Integer Overflow in PSB (PSD v2) RLE decoding path causes heap Out of Bounds reads for 32-bit builds An integer overflow in the PSB (PSD v2) RLE decoding path causes a heap out-of-bounds read on 32-bit builds. This can lead to information disclosure or a crash when processing crafted PSB files. ``` ================================================================= ==3298==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf512eb00 at pc 0xf76760b5 bp 0xffc1dfb8 sp 0xffc1dfa8 READ of size 8 at 0xf512eb00 thread T0 #0 0xf76760b4 in ReadPSDChannelRLE coders/psd.c:1141 ``` |
CVE-2026-25984
GHSA-273h-m46v-96q4 |
| VCID-sdc2-fcap-abaz | ImageMagick has Heap Out-of-Bounds Read in DCM Decoder (ReadDCMImage) A heap out-of-bounds read vulnerability exists in the `coders/dcm.c` module. When processing DICOM files with a specific configuration, the decoder loop incorrectly reads bytes per iteration. This causes the function to read past the end of the allocated buffer, potentially leading to a Denial of Service (crash) or Information Disclosure (leaking heap memory into the image). |
CVE-2026-25982
GHSA-pmq6-8289-hx3v |
| VCID-tv15-dcnu-pbbn | ImageMagick: Heap overflow in pcd decoder leads to out of bounds read. The pcd coder lacks proper boundary checking when processing Huffman-coded data. The decoder contains an function that has an incorrect initialization that could cause an out of bounds read. ``` ==3900053==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x502000003c6c at pc 0x55601b9cc552 bp 0x7ffd904b1f70 sp 0x7ffd904b1f60 READ of size 1 at 0x502000003c6c thread T0 ``` |
CVE-2026-26284
GHSA-wrhr-rf8j-r842 |
| VCID-utfe-h3b7-jqcj | ImageMagick: MSL - Stack overflow in ProcessMSLScript ### Summary Magick fails to check for circular references between two MSLs, leading to a stack overflow. ### Details After reading a.msl using magick, the following is displayed: `MSLStartElement` -> `ReadImage` -> `ReadMSLImage` -> `ProcessMSLScript` -> `xmlParseChunk` -> `xmlParseTryOrFinish` -> `MSLStartElement` ```bash AddressSanitizer:DEADLYSIGNAL ================================================================= ==114345==ERROR: AddressSanitizer: UNKNOWN SIGNAL on unknown address 0x000000000000 (pc 0x72509fc7d804 bp 0x7ffd6598b390 sp 0x7ffd6598ab20 T0) #0 0x72509fc7d804 in strlen ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:388 [...] ``` |
CVE-2026-25971
GHSA-8mpr-6xr2-chhc |
| VCID-uvpj-a8v5-ebgz | Image Magick has a Memory Leak in coders/ashlar.c Memory leak exists in `coders/ashlar.c`. The `WriteASHLARImage` allocates a structure. However, when an exception is thrown, the allocated memory is not properly released, resulting in a potential memory leak. ``` ```bash ==78968== Memcheck, a memory error detector ==78968== Copyright (C) 2002-2022, and GNU GPL'd, by Julian Seward et al. ==78968== Using Valgrind-3.22.0 and LibVEX; rerun with -h for copyright info ==78968== ==78968== HEAP SUMMARY: ==78968== in use at exit: 17,232 bytes in 4 blocks ==78968== total heap usage: 4,781 allocs, 4,777 frees, 785,472 bytes allocated ``` |
CVE-2026-25969
GHSA-xgm3-v4r9-wfgm |
| VCID-vpdn-g1k9-1kdn | ImageMagick has heap buffer overflow in YUV 4:2:2 decoder A heap buffer overflow write vulnerability exists in ReadYUVImage() (coders/yuv.c) when processing malicious YUV 4:2:2 (NoInterlace) images. The pixel-pair loop writes one pixel beyond the allocated row buffer. ``` ================================================================= ==204642==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x5170000002e0 at pc 0x562d21a7e8de bp 0x7fffa9ae1270 sp 0x7fffa9ae1260 WRITE of size 8 at 0x5170000002e0 thread T0 ``` |
CVE-2026-25986
GHSA-mqfc-82jx-3mr2 |
| VCID-x44m-x33k-hydn | ImageMagick: Heap-based Buffer Overflow in GetPixelIndex due to metadata-cache desynchronization `OpenPixelCache` updates image channel metadata **before** attempting pixel cache memory allocation. When both memory and disk allocation fail a heap-buffer-overflow read in occurs in any writer that calls `GetPixelIndex`. |
GHSA-gq5v-qf8q-fp77
|
| VCID-xbsu-ac6g-53fn | ImageMagick has heap-buffer-overflow via signed integer overflow in WriteUHDRImage when writing UHDR images with large dimensions `WriteUHDRImage` in `coders/uhdr.c` uses `int` arithmetic to compute the pixel buffer size. When image dimensions are large, the multiplication overflows 32-bit `int`, causing an undersized heap allocation followed by an out-of-bounds write. This can crash the process or potentially lead to an out of bounds heap write. ``` ==1575126==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7fc382ef3820 at pc 0x5560d31f229f bp 0x7ffe865f9530 sp 0x7ffe865f9520 WRITE of size 8 at 0x7fc382ef3820 thread T0 #0 0x5560d31f229e in WriteUHDRImage coders/uhdr.c:807 ``` |
CVE-2026-25794
GHSA-vhqj-f5cj-9x8h |
| VCID-y4hn-6bv6-jugw | ImageMagick: MSL attribute stack buffer overflow leads to out of bounds write. A stack buffer overflow occurs when processing the an attribute in msl.c. A long value overflows a fixed-size stack buffer, leading to memory corruption. ``` ================================================================= ==278522==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffdb8c76984 at pc 0x55a4bf16f507 bp 0x7ffdb8c75bc0 sp 0x7ffdb8c75bb0 WRITE of size 1 at 0x7ffdb8c76984 thread T0 ``` |
CVE-2026-25968
GHSA-3mwp-xqp2-q6ph |
| VCID-yx7r-r7ez-7uhp | ImageMagick: Code Injection via PostScript header in ps coders The ps encoders, responsible for writing PostScript files, fails to sanitize the input before writing it into the PostScript header. An attacker can provide a malicious file and inject arbitrary PostScript code. When the resulting file is processed by a printer or a viewer (like Ghostscript), the injected code is interpreted and executed. The html encoder does not properly escape strings that are written to in the html document. An attacker can provide a malicious file and injection arbitrary html code. |
CVE-2026-25797
GHSA-rw6c-xp26-225v |
| VCID-z9t9-bxf9-hkfk | ImageMagick has memory leak of watermark Image object in ReadSTEGANOImage on multiple error/early-return paths ### Summary In `ReadSTEGANOImage()` (`coders/stegano.c`), the `watermark` Image object is not freed on three early-return paths, resulting in a definite memory leak (~13.5KB+ per invocation) that can be exploited for denial of service. ``` Direct leak of 13512 byte(s) in 1 object(s) allocated from: #0 0x7f5c11e27887 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145 #1 0x55cdc38f65c4 in AcquireMagickMemory MagickCore/memory.c:536 #2 0x55cdc38f65eb in AcquireCriticalMemory MagickCore/memory.c:612 #3 0x55cdc3899e91 in AcquireImage MagickCore/image.c:154 ``` |
CVE-2026-25796
GHSA-g2pr-qxjg-7r2w |
| VCID-zab9-9tqj-hbhg | ImageMagick: Memory allocation with excessive without limits in the internal SVG decoder A crafted SVG file containing an malicious element causes ImageMagick to attempt to allocate ~674 GB of memory, leading to an out-of-memory abort. Found via AFL++ fuzzing with afl-clang-lto instrumentation and AddressSanitizer. |
CVE-2026-25985
GHSA-v7g2-m8c5-mf84 |
| VCID-zx14-t8et-ufcq | ImageMagick: Memory leak in coders/txt.c without freetype If a `texture` attribute is specified for a TXT file, an attempt will be made to read it via `texture=ReadImage(read_info,exception);`. Later, when retrieving metrics via the `GetTypeMetrics` function, if this function fails (i.e., `status == MagickFalse`), the calling function will exit immediately but fail to release the texture object, leading to memory leakage. |
GHSA-3q5f-gmjc-38r8
|