[Pkg-gmagick-im-team] Bug#1126076: imagemagick: CVE-2026-23876
Salvatore Bonaccorso
carnil at debian.org
Wed Jan 21 15:38:13 GMT 2026
Source: imagemagick
Version: 8:7.1.2.12+dfsg1-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
Hi,
The following vulnerability was published for imagemagick.
CVE-2026-23876[0]:
| ImageMagick is free and open-source software used for editing and
| manipulating digital images. Prior to versions 7.1.2-13 and
| 6.9.13-38, a heap buffer overflow vulnerability in the XBM image
| decoder (ReadXBMImage) allows an attacker to write controlled data
| past the allocated heap buffer when processing a maliciously crafted
| image file. Any operation that reads or identifies an image can
| trigger the overflow, making it exploitable via common image upload
| and processing pipelines. Versions 7.1.2-13 and 6.9.13-38 fix the
| issue.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-23876
https://www.cve.org/CVERecord?id=CVE-2026-23876
[1] https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-r49w-jqq3-3gx8
[2] https://github.com/ImageMagick/ImageMagick/commit/2fae24192b78fdfdd27d766fd21d90aeac6ea8b8
[3] https://github.com/ImageMagick/ImageMagick6/commit/536512a2c60cd6e8c21c1256c2ee4da48d903e0c
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
More information about the Pkg-gmagick-im-team
mailing list