For more information on the version bump, see:
- https://github.com/ImageMagick/Website/blob/main/ChangeLog.md
- https://github.com/ImageMagick/ImageMagick/compare/7.1.2-12...7.1.2-15
Fixes the following vulnerabilities:
- CVE-2026-22770:
The BilateralBlurImage method will allocate a set of double buffers
inside AcquireBilateralTLS. But, in versions prior to 7.1.2-13, the
last element in the set is not properly initialized. This will
result in a release of an invalid pointer inside DestroyBilateralTLS
when the memory allocation fails.
https://www.cve.org/CVERecord?id=CVE-2026-22770
- CVE-2026-23874:
Versions prior to 7.1.2-13 have a stack overflow via infinite
recursion in MSL (Magick Scripting Language) `<write>` command when
writing to MSL format.
https://www.cve.org/CVERecord?id=CVE-2026-23874
- CVE-2026-23876:
Prior to versions 7.1.2-13 and 6.9.13-38, a heap buffer overflow
vulnerability in the XBM image decoder (ReadXBMImage) allows an
attacker to write controlled data past the allocated heap buffer
when processing a maliciously crafted image file. Any operation that
reads or identifies an image can trigger the overflow, making it
exploitable via common image upload and processing pipelines.
https://www.cve.org/CVERecord?id=CVE-2026-23876
- CVE-2026-24481:
Prior to versions 7.1.2-15 and 6.9.13-40, a heap information
disclosure vulnerability exists in ImageMagick's PSD (Adobe
Photoshop) format handler. When processing a maliciously crafted PSD
file containing ZIP-compressed layer data that decompresses to less
than the expected size, uninitialized heap memory is leaked into the
output image.
https://www.cve.org/CVERecord?id=CVE-2026-24481
- CVE-2026-25638:
Prior to versions 7.1.2-15 and 6.9.13-40, memory leak exists in
`coders/msl.c`. In the `WriteMSLImage` function of the `msl.c` file,
resources are allocated. But the function returns early without
releasing these allocated resources.
https://www.cve.org/CVERecord?id=CVE-2026-25638
- CVE-2026-25794:
`WriteUHDRImage` in `coders/uhdr.c` uses `int` arithmetic to compute
the pixel buffer size. Prior to version 7.1.2-15, when image
dimensions are large, the multiplication overflows 32-bit `int`,
causing an undersized heap allocation followed by an out-of-bounds
write. This can crash the process or potentially lead to an out of
bounds heap write.
https://www.cve.org/CVERecord?id=CVE-2026-25794
- CVE-2026-25795:
Prior to versions 7.1.2-15 and 6.9.13-40, in `ReadSFWImage()`
(`coders/sfw.c`), when temporary file creation fails, `read_info` is
destroyed before its `filename` member is accessed, causing a NULL
pointer dereference and crash.
https://www.cve.org/CVERecord?id=CVE-2026-25795
- CVE-2026-25796:
Prior to versions 7.1.2-15 and 6.9.13-40, in `ReadSTEGANOImage()`
(`coders/stegano.c`), the `watermark` Image object is not freed on
three early-return paths, resulting in a definite memory leak
(~13.5KB+ per invocation) that can be exploited for denial of
service.
https://www.cve.org/CVERecord?id=CVE-2026-25796
- CVE-2026-25798:
Prior to versions 7.1.2-15 and 6.9.13-40, a NULL pointer dereference
in ClonePixelCacheRepository allows a remote attacker to crash any
application linked against ImageMagick by supplying a crafted image
file, resulting in denial of service.
https://www.cve.org/CVERecord?id=CVE-2026-25798
- CVE-2026-25799:
Prior to versions 7.1.2-15 and 6.9.13-40, a logic error in YUV
sampling factor validation allows an invalid sampling factor to
bypass checks and trigger a division-by-zero during image loading,
resulting in a reliable denial-of-service.
https://www.cve.org/CVERecord?id=CVE-2026-25799
- CVE-2026-25897:
Prior to versions 7.1.2-15 and 6.9.13-40, an Integer Overflow
vulnerability exists in the sun decoder. On 32-bit systems/builds, a
carefully crafted image can lead to an out of bounds heap write.
https://www.cve.org/CVERecord?id=CVE-2026-25897
- CVE-2026-25989:
Prior to versions 7.1.2-15 and 6.9.13-40, a crafted SVG file can
cause a denial of service. An off-by-one boundary check (`>` instead
of `>=`) that allows bypass the guard and reach an undefined
`(size_t)` cast.
https://www.cve.org/CVERecord?id=CVE-2026-25989
- CVE-2026-26066:
Prior to versions 7.1.2-15 and 6.9.13-40, a crafted profile contain
invalid IPTC data may cause an infinite loop when writing it with
`IPTCTEXT`.
https://www.cve.org/CVERecord?id=CVE-2026-26066
- CVE-2026-26283:
Prior to versions 7.1.2-15 and 6.9.13-40, a `continue` statement in
the JPEG extent binary search loop in the jpeg encoder causes an
infinite loop when writing persistently fails. An attacker can
trigger a 100% CPU consumption and process hang (Denial of Service)
with a crafted image.
https://www.cve.org/CVERecord?id=CVE-2026-26283
- CVE-2026-26284:
Prior to versions 7.1.2-15 and 6.9.13-40, ImageMagick lacks proper
boundary checking when processing Huffman- coded data from PCD
(Photo CD) files. The decoder contains an function that has an
incorrect initialization that could cause an out of bounds read.
https://www.cve.org/CVERecord?id=CVE-2026-26284
- CVE-2026-26983:
Prior to versions 7.1.2-15 and 6.9.13-40, the MSL interpreter
crashes when processing a invalid `<map>` element that causes it to
use an image after it has been freed.
https://www.cve.org/CVERecord?id=CVE-2026-26983
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Thomas Perale
45e009ab4a