Description
ImageMagick before 7.1.2-15 (and 6.x before 6.9.13-40) contains a heap out-of-bounds read in the PCD coder's DecodeImage loop. A crafted PCD file can trigger a one-byte heap out-of-bounds read during image decoding, resulting in denial of service and potential disclosure of an adjacent heap byte.
Published: 2026-06-21
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

ImageMagick versions prior to 7.1.2-15 (and 6.x prior to 6.9.13-40) contain a heap out‑of‑bounds read in the PCD decoder’s DecodeImage loop. A malicious or crafted PCD file can trigger a one‑byte read beyond the bounds of a heap buffer during image decoding, causing the process to crash and potentially expose an adjacent heap byte. The primary impact is therefore denial of service, with a secondary risk of leaking sensitive information stored near the read location.

Affected Systems

All systems that run the affected ImageMagick binaries—specifically ImageMagick releases before 7.1.2-15 and before 6.9.13-40—use the vulnerable PCD decoder. Administrators should verify the exact build numbers on any production or public servers that process PCD images.

Risk and Exploitability

The CVSS score of 6.3 classifies the vulnerability as a moderate risk. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog, suggesting that large‑scale exploitation has not yet been observed. However, the flaw can be triggered simply by feeding a crafted PCD file into the image decoder, which may be possible both locally and remotely if a service accepts arbitrary image uploads. Attackers would typically need access to the filesystem or API that allows image uploads; no privilege escalation or remote code execution is required.

Generated by OpenCVE AI on June 21, 2026 at 16:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade ImageMagick to version 7.1.2-15 or later, or to 6.9.13-40 or later if using the 6.x branch.
  • If an upgrade cannot be performed immediately, configure the system to reject or flag any PCD files that are not officially required, and avoid processing untrusted PCD content.
  • Deploy ImageMagick image processing in a sandboxed or isolated environment and enforce strict input validation to limit the potential impact of a malformed image.

Generated by OpenCVE AI on June 21, 2026 at 16:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6383-1 imagemagick security update
History

Tue, 23 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

threat_severity

Moderate


Mon, 22 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Sun, 21 Jun 2026 15:00:00 +0000

Type Values Removed Values Added
Description ImageMagick before 7.1.2-15 (and 6.x before 6.9.13-40) contains a heap out-of-bounds read in the PCD coder's DecodeImage loop. A crafted PCD file can trigger a one-byte heap out-of-bounds read during image decoding, resulting in denial of service and potential disclosure of an adjacent heap byte.
Title ImageMagick - Heap Out-of-Bounds Read in PCD Decoder
First Time appeared Imagemagick
Imagemagick imagemagick
Weaknesses CWE-125
CPEs cpe:2.3:a:imagemagick:imagemagick:*:*:*:*:*:*:*:*
Vendors & Products Imagemagick
Imagemagick imagemagick
References
Metrics cvssV3_1

{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N'}

cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}


Subscriptions

Imagemagick Imagemagick
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-22T13:20:32.902Z

Reserved: 2026-06-21T02:05:47.495Z

Link: CVE-2026-56378

cve-icon Vulnrichment

Updated: 2026-06-22T13:20:14.708Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-21T13:26:57Z

Links: CVE-2026-56378 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-21T18:15:04Z

Weaknesses