SB2026022540 - Multiple vulnerabilities in ImageMagick
Published: February 25, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 22 secuirty vulnerabilities.
1) Heap-based buffer overflow (CVE-ID: CVE-2026-27799)
The vulnerability allows a local attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary error in the DJVU image format handler. A local attacker can pass specially crafted data to the application, trigger a heap-based buffer overflow and cause a denial of service condition on the target system.
2) Use-after-free (CVE-ID: N/A)
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error in the PDB decoder. A remote attacker can perform a denial of service (DoS) attack.
3) Infinite loop (CVE-ID: CVE-2026-26283)
The vulnerability allows a local attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to infinite loop in JPEG encoder when using "jpeg:extent". A local attacker can consume all available system resources and cause denial of service conditions.
4) Out-of-bounds read (CVE-ID: N/A)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition in the PCD coder’s DecodeImage loop. A remote attacker can trigger an out-of-bounds read error and read contents of memory on the system.
5) Resource exhaustion (CVE-ID: CVE-2026-26066)
The vulnerability allows a local attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources when writing IPTCTEXT. A local attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.
6) NULL pointer dereference (CVE-ID: CVE-2026-26983)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a NULL pointer dereference error in the MSL interpreter. A remote attacker can pass specially crafted data to the application and perform a denial of service (DoS) attack.
7) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2026-25985)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to allocation of resources without limits or throttling in the internal SVG decoder. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.
8) Integer overflow (CVE-ID: CVE-2026-25989)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to integer overflow in the internal SVG decoder. A remote attacker can pass specially crafted data to the application, trigger integer overflow and cause a denial of service condition on the target system.
9) Heap-based buffer overflow (CVE-ID: CVE-2026-25897)
The vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to a boundary error in the sun decoder. A remote attacker can pass specially crafted data to the application, trigger a heap-based buffer overflow and perform a denial of service (DoS) attack.
10) Code Injection (CVE-ID: CVE-2026-25797)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to improper input validation within the ps encoders. A remote attacker can send a specially crafted request and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
11) Improper Encoding or Escaping of Output (CVE-ID: N/A)
The vulnerability allows a remote attacker to execute arbitrary commands on the system.
The vulnerability exists due to improper encoding or escaping of output within coders/svg.c. A remote attacker can pass specially crafted data to the application and execute arbitrary commands.
12) Memory leak (CVE-ID: N/A)
The vulnerability allows a remote attacker to perform DoS attack on the target system.
The vulnerability exists due memory leak in coders/txt.c without freetype. A remote attacker can force the application to leak memory and perform denial of service attack.
13) Memory leak (CVE-ID: N/A)
The vulnerability allows a remote attacker to perform DoS attack on the target system.
The vulnerability exists due memory leak in multiple coders that write raw pixel data. A remote attacker can force the application to leak memory and perform denial of service attack.
14) Out-of-bounds read (CVE-ID: CVE-2026-25898)
The vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to a boundary condition within negative pixel index in UIL and XPM writer. A remote attacker can trigger an out-of-bounds read error and read contents of memory on the system or perform a denial of service (DoS) attack..
15) Heap-based buffer overflow (CVE-ID: CVE-2026-25794)
The vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to a boundary error in the "WriteUHDRImage" function in coders/uhdr.c. A remote attacker can pass specially crafted data to the application, trigger a heap-based buffer overflow and perform a denial of service (DoS) attack.
16) Memory leak (CVE-ID: CVE-2026-25796)
The vulnerability allows a remote attacker to perform DoS attack on the target system.
The vulnerability exists due memory leak in the "ReadSTEGANOImage()" function on multiple error/early-return paths. A remote attacker can force the application to leak memory and perform denial of service attack.
17) NULL pointer dereference (CVE-ID: CVE-2026-25795)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a NULL pointer dereference error in the "ReadSFWImage()" function. A remote attacker can pass specially crafted data to the application and perform a denial of service (DoS) attack.
18) Out-of-bounds read (CVE-ID: N/A)
The vulnerability allows a remote user to compromise the target system.
The vulnerability exists due to a boundary condition in GetPixelIndex. A remote administrator can trigger an out-of-bounds read error and read contents of memory on the system, or perform a deial of service (DoS) attack.
19) Memory leak (CVE-ID: CVE-2026-25637)
The vulnerability allows a remote attacker to perform DoS attack on the target system.
The vulnerability exists due memory leak in the ASHLAR image writer. A remote attacker can force the application to leak memory and perform denial of service attack.
20) Path traversal (CVE-ID: CVE-2026-25965)
The vulnerability allows a remote attacker to perform directory traversal attacks.
The vulnerability exists due to input validation error when processing directory traversal sequences. A remote attacker can send a specially crafted HTTP request and read arbitrary files on the system.
21) Out-of-bounds read (CVE-ID: CVE-2026-27798)
The vulnerability allows a local attacker to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition in WaveletDenoise with small images. A local attacker can trigger an out-of-bounds read error and read contents of memory on the system.
22) Use-after-free (CVE-ID: N/A)
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error in meta coder. A remote attacker can pass specially crafted image to the application, trigger a use-after-free error and execute arbitrary code on the system.
Remediation
Install update from vendor's website.
References
- https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-r99p-5442-q2x2
- https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-3j4x-rwrx-xxj9
- https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-gwr3-x37h-h84v
- https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-wgxp-q8xq-wpp9
- https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-v994-63cg-9wj3
- https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-w8mw-frc6-r7m8
- https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-v7g2-m8c5-mf84
- https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-7355-pwx2-pm84
- https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-6j5f-24fw-pqp4
- https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-rw6c-xp26-225v
- https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-xpg8-7m6m-jf56
- https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-3q5f-gmjc-38r8
- https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-wfx3-6g53-9fgc
- https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-vpxv-r9pg-7gpr
- https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-vhqj-f5cj-9x8h
- https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-g2pr-qxjg-7r2w
- https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-p33r-fqw2-rqmm
- https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-gq5v-qf8q-fp77
- https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-gm37-qx7w-p258
- https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-8jvj-p28h-9gm7
- https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-qpgx-jfcq-r59f
- https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-2gq3-ww97-wfjm