Description
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, ImageMagick lacks proper boundary checking when processing Huffman-coded data from PCD (Photo CD) files. The decoder contains an function that has an incorrect initialization that could cause an out of bounds read. Versions 7.1.2-15 and 6.9.13-40 contain a patch.
Published: 2026-02-24
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Memory Corruption (Out‑of‑Bounds Read)
Action: Apply Patch
AI Analysis

Impact

ImageMagick, a widely used open source image manipulation library, contains a flaw in the PCD (Photo CD) decoder. The decoder performs Huffman‑coded data decoding without sufficient boundary validation, allowing an attacker to supply a crafted PCD file that triggers an out‑of‑bounds read. This memory corruption can expose internal state or, if exploited further, could potentially lead to information disclosure or denial of service. The weakness corresponds to multiple weaknesses including buffer overread and improper array index validation.

Affected Systems

The vulnerability affects the ImageMagick ImageMagick product prior to versions 7.1.2-15 and 6.9.13-40. Systems running those earlier releases that process PCD files are susceptible. The patched releases 7.1.2-15 and 6.9.13-40 contain the necessary bounds checking and are no longer vulnerable.

Risk and Exploitability

The CVSS score of 6.5 indicates medium severity, and the EPSS score of less than 1% implies a low likelihood of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Attackers would need to supply a malicious PCD file to an ImageMagick instance. If the image processing environment is exposed to untrusted input, the risk increases, but no confirmed remote code execution vector exists; the principal risk is memory corruption that could crash or leak data.

Generated by OpenCVE AI on April 17, 2026 at 15:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade ImageMagick to version 7.1.2-15 or 6.9.13-40, which include the fixed boundary checks in the PCD decoder.
  • Disallow or restrict processing of PCD files when dealing with untrusted input. If possible, disable PCD support in the configuration to eliminate the attack surface.
  • Monitor system logs and runtime behavior for signs of memory corruptions or abnormal crashes, and apply additional input validation or sandboxing around image processing operations.

Generated by OpenCVE AI on April 17, 2026 at 15:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4539-1 imagemagick security update
Debian DSA Debian DSA DSA-6158-1 imagemagick security update
Debian DSA Debian DSA DSA-6210-1 imagemagick security update
Github GHSA Github GHSA GHSA-wrhr-rf8j-r842 ImageMagick: Heap overflow in pcd decoder leads to out of bounds read.
Ubuntu USN Ubuntu USN USN-8069-1 ImageMagick vulnerabilities
History

Tue, 24 Feb 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 24 Feb 2026 18:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-125
CPEs cpe:2.3:a:imagemagick:imagemagick:*:*:*:*:*:*:*:*

Tue, 24 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-131
References
Metrics threat_severity

None

 threat_severity

Moderate

Tue, 24 Feb 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Imagemagick
Imagemagick imagemagick
Vendors & Products Imagemagick
Imagemagick imagemagick

Tue, 24 Feb 2026 03:00:00 +0000

Type Values Removed Values Added
Description ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, ImageMagick lacks proper boundary checking when processing Huffman-coded data from PCD (Photo CD) files. The decoder contains an function that has an incorrect initialization that could cause an out of bounds read. Versions 7.1.2-15 and 6.9.13-40 contain a patch.
Title ImageMagick has heap overflow in pcd decoder that leads to out of bounds read.
Weaknesses CWE-122
CWE-787
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L'}

Subscriptions

Imagemagick Imagemagick
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-24T20:46:56.730Z

Reserved: 2026-02-12T17:10:53.414Z

Link: CVE-2026-26284

cve-icon Vulnrichment

Updated: 2026-02-24T20:46:40.783Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-24T03:16:01.543

Modified: 2026-02-24T18:39:19.270

Link: CVE-2026-26284

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-02-24T02:00:19Z

Links: CVE-2026-26284 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T16:00:11Z

Weaknesses