Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
ImageMagick update fixes multiple security risks in image processing
SUSE-SU-2026:0854-1
Summary
An update is available for ImageMagick, a software used to process images. This update addresses multiple security issues that could allow an attacker to crash the program, access unauthorized data, or cause it to run malicious code. Users are advised to apply the update as soon as possible to ensure their system remains secure.
What to do
- Update imagemagick to version 6.8.8.1-71.231.1.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | imagemagick | <= 6.8.8.1-71.231.1 | 6.8.8.1-71.231.1 |
Original title
Security update for ImageMagick
Original description
This update for ImageMagick fixes the following issues:
- CVE-2026-24484: denial of service vulnerability via multi-layer nested MVG to SVG conversion (bsc#1258790).
- CVE-2026-24485: denial of service via malformed PCD file processing (bsc#1258791).
- CVE-2026-25576: Out of bounds read in multiple coders that read raw pixel data (bsc#1258748).
- CVE-2026-25795: Denial of Service due to NULL pointer dereference during temporary file creation failure
(bsc#1258792).
- CVE-2026-25796: Memory leak of watermark Image object in ReadSTEGANOImage on multiple error/early-return paths
(bsc#1258757).
- CVE-2026-25797: Code injection in various encoders (bsc#1258770).
- CVE-2026-25799: Division-by-Zero in YUV sampling factor validation leads to crash (bsc#1258786).
- CVE-2026-25966: Security Policy Bypass through config/policy-secure.xml via 'fd handler' leads to stdin/stdout access
(bsc#1258780).
- CVE-2026-25983: Denial of service via crafted MSL script (bsc#1258805).
- CVE-2026-25987: Memory disclosure and denial of service via crafted MAP files (bsc#1258821).
- CVE-2026-25988: Denial of Service due to memory leak in image processing (bsc#1258810).
- CVE-2026-26066: Infinite loop when writing IPTCTEXT leads to denial of service via crafted profile (bsc#1258769).
- CVE-2026-26284: Heap overflow in pcd decoder leads to out of bounds read (bsc#1258765).
- CVE-2026-26983: Invalid MSL <map> can result in a use after free (bsc#1258763).
- CVE-2026-27799: ImageMagick has a heap Buffer Over-read in its DJVU image format handler (bsc#1259017).
- CVE-2026-24484: denial of service vulnerability via multi-layer nested MVG to SVG conversion (bsc#1258790).
- CVE-2026-24485: denial of service via malformed PCD file processing (bsc#1258791).
- CVE-2026-25576: Out of bounds read in multiple coders that read raw pixel data (bsc#1258748).
- CVE-2026-25795: Denial of Service due to NULL pointer dereference during temporary file creation failure
(bsc#1258792).
- CVE-2026-25796: Memory leak of watermark Image object in ReadSTEGANOImage on multiple error/early-return paths
(bsc#1258757).
- CVE-2026-25797: Code injection in various encoders (bsc#1258770).
- CVE-2026-25799: Division-by-Zero in YUV sampling factor validation leads to crash (bsc#1258786).
- CVE-2026-25966: Security Policy Bypass through config/policy-secure.xml via 'fd handler' leads to stdin/stdout access
(bsc#1258780).
- CVE-2026-25983: Denial of service via crafted MSL script (bsc#1258805).
- CVE-2026-25987: Memory disclosure and denial of service via crafted MAP files (bsc#1258821).
- CVE-2026-25988: Denial of Service due to memory leak in image processing (bsc#1258810).
- CVE-2026-26066: Infinite loop when writing IPTCTEXT leads to denial of service via crafted profile (bsc#1258769).
- CVE-2026-26284: Heap overflow in pcd decoder leads to out of bounds read (bsc#1258765).
- CVE-2026-26983: Invalid MSL <map> can result in a use after free (bsc#1258763).
- CVE-2026-27799: ImageMagick has a heap Buffer Over-read in its DJVU image format handler (bsc#1259017).
- https://www.suse.com/support/update/announcement/2026/suse-su-20260854-1/ Vendor Advisory
- https://bugzilla.suse.com/1258748 Third Party Advisory
- https://bugzilla.suse.com/1258757 Third Party Advisory
- https://bugzilla.suse.com/1258763 Third Party Advisory
- https://bugzilla.suse.com/1258765 Third Party Advisory
- https://bugzilla.suse.com/1258769 Third Party Advisory
- https://bugzilla.suse.com/1258770 Third Party Advisory
- https://bugzilla.suse.com/1258780 Third Party Advisory
- https://bugzilla.suse.com/1258786 Third Party Advisory
- https://bugzilla.suse.com/1258790 Third Party Advisory
- https://bugzilla.suse.com/1258791 Third Party Advisory
- https://bugzilla.suse.com/1258792 Third Party Advisory
- https://bugzilla.suse.com/1258805 Third Party Advisory
- https://bugzilla.suse.com/1258810 Third Party Advisory
- https://bugzilla.suse.com/1258821 Third Party Advisory
- https://bugzilla.suse.com/1259017 Third Party Advisory
- https://www.suse.com/security/cve/CVE-2026-24484 URL
- https://www.suse.com/security/cve/CVE-2026-24485 URL
- https://www.suse.com/security/cve/CVE-2026-25576 URL
- https://www.suse.com/security/cve/CVE-2026-25795 URL
- https://www.suse.com/security/cve/CVE-2026-25796 URL
- https://www.suse.com/security/cve/CVE-2026-25797 URL
- https://www.suse.com/security/cve/CVE-2026-25799 URL
- https://www.suse.com/security/cve/CVE-2026-25966 URL
- https://www.suse.com/security/cve/CVE-2026-25983 URL
- https://www.suse.com/security/cve/CVE-2026-25987 URL
- https://www.suse.com/security/cve/CVE-2026-25988 URL
- https://www.suse.com/security/cve/CVE-2026-26066 URL
- https://www.suse.com/security/cve/CVE-2026-26284 URL
- https://www.suse.com/security/cve/CVE-2026-26983 URL
- https://www.suse.com/security/cve/CVE-2026-27799 URL
Published: 9 Mar 2026 · Updated: 13 Mar 2026 · First seen: 10 Mar 2026