CVE-2026-26284
Received Received - Intake
Out-of-Bounds Read in ImageMagick PCD Huffman Decoder

Publication date: 2026-02-24

Last updated on: 2026-02-24

Assigner: GitHub, Inc.

Description
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, ImageMagick lacks proper boundary checking when processing Huffman-coded data from PCD (Photo CD) files. The decoder contains an function that has an incorrect initialization that could cause an out of bounds read. Versions 7.1.2-15 and 6.9.13-40 contain a patch.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-24
Last Modified
2026-02-24
Generated
2026-06-16
AI Q&A
2026-02-24
EPSS Evaluated
2026-06-15
NVD
CVE-2026-26284
EUVD
EUVD-2026-7413
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
imagemagick imagemagick to 6.9.13-40 (exc)
imagemagick imagemagick From 7.0.0-0 (inc) to 7.1.2-15 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-787 The product writes data past the end, or before the beginning, of the intended buffer.
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.
CWE-122 A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-26284 is a moderate severity vulnerability in the ImageMagick software, specifically affecting versions prior to 7.1.2-15 and 6.9.13-40. The issue is in the PCD image decoder, which improperly handles Huffman-coded data due to insufficient boundary checking.

This flaw is caused by incorrect initialization within a decoder function, leading to a heap-based buffer overflow and an out-of-bounds read when processing image data. Essentially, the decoder reads memory beyond the allocated buffer, which can cause unexpected behavior or crashes.

The vulnerability is classified under CWE-122 (Heap-based Buffer Overflow) and CWE-787 (Out-of-bounds Write). Exploitation requires no privileges or user interaction and can be performed remotely.

Impact Analysis

This vulnerability can lead to a heap-based buffer overflow and out-of-bounds memory reads when processing specially crafted PCD image files.

The impact includes a low loss of confidentiality and a low impact on availability, meaning some sensitive information could potentially be exposed and the software might crash or become unavailable temporarily.

There is no impact on data integrity, and exploitation does not require any privileges or user interaction, making it possible for an attacker to exploit it remotely.

Compliance Impact

I don't know

Detection Guidance

This vulnerability in ImageMagick was detected using AddressSanitizer, which reported a heap-buffer-overflow error when reading memory beyond the allocated buffer.

To detect if your system is vulnerable, you can check the installed ImageMagick version. Versions prior to 7.1.2-15 and 6.9.13-40 are affected.

Suggested commands to check the ImageMagick version on your system include:

  • magick --version
  • convert --version

If the version is older than the patched versions, your system is vulnerable.

Mitigation Strategies

The immediate mitigation step is to upgrade ImageMagick to a patched version.

  • Update ImageMagick to version 7.1.2-15 or later, or 6.9.13-40 or later.

Avoid processing untrusted PCD (Photo CD) files until the update is applied, as the vulnerability resides in the PCD image decoder.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-26284. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart