CVE-2026-26284
Out-of-Bounds Read in ImageMagick PCD Huffman Decoder
Publication date: 2026-02-24
Last updated on: 2026-02-24
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| imagemagick | imagemagick | to 6.9.13-40 (exc) |
| imagemagick | imagemagick | From 7.0.0-0 (inc) to 7.1.2-15 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-125 | The product reads data past the end, or before the beginning, of the intended buffer. |
| CWE-122 | A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc(). |
| CWE-787 | The product writes data past the end, or before the beginning, of the intended buffer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-26284 is a moderate severity vulnerability in the ImageMagick software, specifically affecting versions prior to 7.1.2-15 and 6.9.13-40. The issue is in the PCD image decoder, which improperly handles Huffman-coded data due to insufficient boundary checking.
This flaw is caused by incorrect initialization within a decoder function, leading to a heap-based buffer overflow and an out-of-bounds read when processing image data. Essentially, the decoder reads memory beyond the allocated buffer, which can cause unexpected behavior or crashes.
The vulnerability is classified under CWE-122 (Heap-based Buffer Overflow) and CWE-787 (Out-of-bounds Write). Exploitation requires no privileges or user interaction and can be performed remotely.
How can this vulnerability impact me? :
This vulnerability can lead to a heap-based buffer overflow and out-of-bounds memory reads when processing specially crafted PCD image files.
The impact includes a low loss of confidentiality and a low impact on availability, meaning some sensitive information could potentially be exposed and the software might crash or become unavailable temporarily.
There is no impact on data integrity, and exploitation does not require any privileges or user interaction, making it possible for an attacker to exploit it remotely.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability in ImageMagick was detected using AddressSanitizer, which reported a heap-buffer-overflow error when reading memory beyond the allocated buffer.
To detect if your system is vulnerable, you can check the installed ImageMagick version. Versions prior to 7.1.2-15 and 6.9.13-40 are affected.
Suggested commands to check the ImageMagick version on your system include:
- magick --version
- convert --version
If the version is older than the patched versions, your system is vulnerable.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade ImageMagick to a patched version.
- Update ImageMagick to version 7.1.2-15 or later, or 6.9.13-40 or later.
Avoid processing untrusted PCD (Photo CD) files until the update is applied, as the vulnerability resides in the PCD image decoder.