{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-26284", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-12T17:10:53.414Z", "datePublished": "2026-02-24T02:00:19.417Z", "dateUpdated": "2026-02-24T20:46:56.730Z"}, "containers": {"cna": {"title": "ImageMagick has heap overflow in pcd decoder that leads to out of bounds read.", "problemTypes": [{"descriptions": [{"cweId": "CWE-122", "lang": "en", "description": "CWE-122: Heap-based Buffer Overflow", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-787", "lang": "en", "description": "CWE-787: Out-of-bounds Write", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-wrhr-rf8j-r842", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-wrhr-rf8j-r842"}], "affected": [{"vendor": "ImageMagick", "product": "ImageMagick", "versions": [{"version": ">= 7.0.0, < 7.1.2-15", "status": "affected"}, {"version": "< 6.9.13-40", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-24T02:00:19.417Z"}, "descriptions": [{"lang": "en", "value": "ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, ImageMagick lacks proper boundary checking when processing Huffman-coded data from PCD (Photo CD) files. The decoder contains an function that has an incorrect initialization that could cause an out of bounds read. Versions 7.1.2-15 and 6.9.13-40 contain a patch."}], "source": {"advisory": "GHSA-wrhr-rf8j-r842", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-24T20:46:33.995511Z", "id": "CVE-2026-26284", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-24T20:46:56.730Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-26284", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-12T17:10:53.414Z", "datePublished": "2026-02-24T02:00:19.417Z", "dateUpdated": "2026-02-24T20:46:56.730Z"}, "containers": {"cna": {"title": "ImageMagick has heap overflow in pcd decoder that leads to out of bounds read.", "problemTypes": [{"descriptions": [{"cweId": "CWE-122", "lang": "en", "description": "CWE-122: Heap-based Buffer Overflow", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-787", "lang": "en", "description": "CWE-787: Out-of-bounds Write", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-wrhr-rf8j-r842", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-wrhr-rf8j-r842"}], "affected": [{"vendor": "ImageMagick", "product": "ImageMagick", "versions": [{"version": ">= 7.0.0, < 7.1.2-15", "status": "affected"}, {"version": "< 6.9.13-40", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-24T02:00:19.417Z"}, "descriptions": [{"lang": "en", "value": "ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, ImageMagick lacks proper boundary checking when processing Huffman-coded data from PCD (Photo CD) files. The decoder contains an function that has an incorrect initialization that could cause an out of bounds read. Versions 7.1.2-15 and 6.9.13-40 contain a patch."}], "source": {"advisory": "GHSA-wrhr-rf8j-r842", "discovery": "UNKNOWN"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-26284", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-24T20:46:33.995511Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-24T20:46:40.783Z"}}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:imagemagick:imagemagick:*:*:*:*:*:*:*:*", "matchCriteriaId": "C6F44A65-1733-4752-AAD0-BCCC7BDBC877", "versionEndExcluding": "6.9.13-40", "vulnerable": true}, {"criteria": "cpe:2.3:a:imagemagick:imagemagick:*:*:*:*:*:*:*:*", "matchCriteriaId": "6AFFD439-1068-4B6F-AE01-724AC62CDCEA", "versionEndExcluding": "7.1.2-15", "versionStartIncluding": "7.0.0-0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, ImageMagick lacks proper boundary checking when processing Huffman-coded data from PCD (Photo CD) files. The decoder contains an function that has an incorrect initialization that could cause an out of bounds read. Versions 7.1.2-15 and 6.9.13-40 contain a patch."}, {"lang": "es", "value": "ImageMagick es un software libre y de c\u00f3digo abierto utilizado para editar y manipular im\u00e1genes digitales. Antes de las versiones 7.1.2-15 y 6.9.13-40, ImageMagick carece de una comprobaci\u00f3n de l\u00edmites adecuada al procesar datos codificados con Huffman de archivos PCD (Photo CD). El decodificador contiene una funci\u00f3n que tiene una inicializaci\u00f3n incorrecta que podr\u00eda causar una lectura fuera de l\u00edmites. Las versiones 7.1.2-15 y 6.9.13-40 contienen un parche."}], "id": "CVE-2026-26284", "lastModified": "2026-02-24T18:39:19.270", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.5, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-02-24T03:16:01.543", "references": [{"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-wrhr-rf8j-r842"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-122"}, {"lang": "en", "value": "CWE-787"}], "source": "security-advisories@github.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-125"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "ImageMagick: ImageMagick: Out-of-bounds read via crafted Photo CD (PCD) files", "id": "2442137", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2442137"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L", "status": "draft"}, "cwe": "CWE-131", "details": ["A flaw was found in ImageMagick, a free and open-source software used for editing and manipulating digital images. When processing Huffman-coded data from Photo CD (PCD) files, the image decoder contains an incorrect initialization that could lead to an out-of-bounds read. This vulnerability could allow a remote attacker to cause information disclosure or a denial of service."], "mitigation": {"lang": "en:us", "value": "To mitigate this issue, restrict ImageMagick's ability to process PCD (Photo CD) files by disabling the PCD coder. This can be done by adding or modifying a policy entry in the ImageMagick configuration file, typically located at `/etc/ImageMagick-X/policy.xml` (where 'X' is the ImageMagick version). Add the following line within the `<policymap>` tags:\n```xml\n<policy domain=\"coder\" rights=\"none\" pattern=\"PCD\" />\n```\nApplications utilizing ImageMagick may require a restart for this change to take effect. This action will prevent ImageMagick from processing PCD files, which may affect functionality dependent on this format."}, "name": "CVE-2026-26284", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "ImageMagick", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "ImageMagick", "product_name": "Red Hat Enterprise Linux 7"}], "public_date": "2026-02-24T02:00:19Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-26284\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-26284\nhttps://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-wrhr-rf8j-r842"], "statement": "This MODERATE impact vulnerability in ImageMagick involves a heap overflow in the PCD (Photo CD) decoder, leading to an out-of-bounds read when processing Huffman-coded data. An attacker could exploit this by providing a specially crafted PCD file. Red Hat Enterprise Linux 6 ELS and 7 ELS are affected.", "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[7.0.0,7.1.2-15)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,6.9.13-40)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "ImageMagick", "source": "cna", "vendor": "ImageMagick"}, "product": "imagemagick", "vendor": "imagemagick"}], "analysis": {"en": {"generated_at": "2026-04-17T15:56:42.358982+00:00", "value": {"mitigation_remediation": ["Upgrade ImageMagick to version 7.1.2-15 or 6.9.13-40, which include the fixed boundary checks in the PCD decoder.", "Disallow or restrict processing of PCD files when dealing with untrusted input. If possible, disable PCD support in the configuration to eliminate the attack surface.", "Monitor system logs and runtime behavior for signs of memory corruptions or abnormal crashes, and apply additional input validation or sandboxing around image processing operations."], "summary": {"action": "Apply Patch", "impact": "Memory Corruption (Out\u2011of\u2011Bounds Read)"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the ImageMagick ImageMagick product prior to versions 7.1.2-15 and 6.9.13-40. Systems running those earlier releases that process PCD files are susceptible. The patched releases 7.1.2-15 and 6.9.13-40 contain the necessary bounds checking and are no longer vulnerable.", "description_and_impact": "ImageMagick, a widely used open source image manipulation library, contains a flaw in the PCD (Photo CD) decoder. The decoder performs Huffman\u2011coded data decoding without sufficient boundary validation, allowing an attacker to supply a crafted PCD file that triggers an out\u2011of\u2011bounds read. This memory corruption can expose internal state or, if exploited further, could potentially lead to information disclosure or denial of service. The weakness corresponds to multiple weaknesses including buffer overread and improper array index validation.", "risk_and_exploitability": "The CVSS score of 6.5 indicates medium severity, and the EPSS score of less than 1% implies a low likelihood of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Attackers would need to supply a malicious PCD file to an ImageMagick instance. If the image processing environment is exposed to untrusted input, the risk increases, but no confirmed remote code execution vector exists; the principal risk is memory corruption that could crash or leak data."}}}}, "created": "2026-02-24T09:53:33.578633+00:00", "updated": "2026-04-17T16:00:11.385272+00:00", "vendors": ["imagemagick", "imagemagick$PRODUCT$imagemagick"]}