Ce mail provient de l'extérieur, restons vigilants ===================================================================== CERT-Renater Note d'Information No. 2026/VULN231 _____________________________________________________________________ DATE : 27/02/2026 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running ImageMagick (C/C++) versions prior to 7.1.2-15, 6.9.13-40, 7.1.2-15. ===================================================================== https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-8jvj-p28h-9gm7 https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-vhqj-f5cj-9x8h https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-v7g2-m8c5-mf84 https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-7355-pwx2-pm84 https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-72hf-fj62-w6j4 https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-3mwp-xqp2-q6ph https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-96pc-27rx-pr36 https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-pqgj-2p96-rx85 ... https://github.com/ImageMagick/ImageMagick/security _____________________________________________________________________ Policy bypass through path traversal allows reading restricted content despite secured policy High dlemstra published GHSA-8jvj-p28h-9gm7 Feb 23, 2026 Package ImageMagick (C/C++) Affected versions < 7.1.2-15 < 6.9.13-40 Patched versions 7.1.2-15 6.9.13-40 Description ImageMagick’s path security policy is enforced on the raw filename string before the filesystem resolves it. As a result, a policy rule such as /etc/* can be bypassed by a path traversal. The OS resolves the traversal and opens the sensitive file, but the policy matcher only sees the unnormalized path and therefore allows the read. This enables local file disclosure (LFI) even when policy-secure.xml is applied. Actions to prevent reading from files have been taken. But it make sure writing is also not possible the following should be added to your policy: And this will also be included in our more secure policies by default. Severity High 8.6/ 10 CVSS v3 base metrics Attack vector Network Attack complexity Low Privileges required None User interaction None Scope Changed Confidentiality High Integrity None Availability None CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N CVE ID CVE-2026-25965 Weaknesses No CWEs _____________________________________________________________________ Heap-buffer-overflow via signed integer overflow in `WriteUHDRImage` when writing UHDR images with large dimensions High dlemstra published GHSA-vhqj-f5cj-9x8h Feb 23, 2026 Package ImageMagick (C/C++) Affected versions < 7.1.2-15 Patched versions 7.1.2-15 Description WriteUHDRImage in coders/uhdr.c uses int arithmetic to compute the pixel buffer size. When image dimensions are large, the multiplication overflows 32-bit int, causing an undersized heap allocation followed by an out-of-bounds write. This can crash the process or potentially lead to an out of bounds heap write. ==1575126==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7fc382ef3820 at pc 0x5560d31f229f bp 0x7ffe865f9530 sp 0x7ffe865f9520 WRITE of size 8 at 0x7fc382ef3820 thread T0 #0 0x5560d31f229e in WriteUHDRImage coders/uhdr.c:807 Severity High 8.2/ 10 CVSS v3 base metrics Attack vector Network Attack complexity Low Privileges required None User interaction None Scope Unchanged Confidentiality Low Integrity None Availability High CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H CVE ID CVE-2026-25794 Weaknesses Weakness CWE-122 Weakness CWE-190 Credits @ylwango613 ylwango613 Reporter _____________________________________________________________________ Memory allocation with excessive without limits in the internal SVG decoder High dlemstra published GHSA-v7g2-m8c5-mf84 Feb 23, 2026 Package ImageMagick (C/C++) Affected versions < 7.1.2-15 < 6.9.13-40 Patched versions 7.1.2-15 6.9.13-40 Description A crafted SVG file containing an malicious element causes ImageMagick to attempt to allocate ~674 GB of memory, leading to an out-of-memory abort. Found via AFL++ fuzzing with afl-clang-lto instrumentation and AddressSanitizer. Severity High 7.5/ 10 CVSS v3 base metrics Attack vector Network Attack complexity Low Privileges required None User interaction None Scope Unchanged Confidentiality None Integrity None Availability High CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE ID CVE-2026-25985 Weaknesses Weakness CWE-770 Weakness CWE-789 Credits @petermalone petermalone Reporter _____________________________________________________________________ Integer overflow or wraparound and incorrect conversion between numeric types in the internal SVG decoder High dlemstra published GHSA-7355-pwx2-pm84 Feb 23, 2026 Package ImageMagick (C/C++) Affected versions < 7.1.2-15 < 6.9.13-40 Patched versions 7.1.2-15 6.9.13-40 Description A crafted SVG file can cause a denial of service. An off-by-one boundary check (> instead of >=) that allows bypass the guard and reach an undefined (size_t) cast. Severity High 7.5/ 10 CVSS v3 base metrics Attack vector Network Attack complexity Low Privileges required None User interaction None Scope Unchanged Confidentiality None Integrity None Availability High CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE ID CVE-2026-25989 Weaknesses Weakness CWE-190 Weakness CWE-681 Credits @petermalone petermalone Reporter _____________________________________________________________________ Stack buffer overflow in FTXT reader via oversized integer field High dlemstra published GHSA-72hf-fj62-w6j4 Feb 23, 2026 Package ImageMagick (C/C++) Affected versions < 7.1.2-15 Patched versions 7.1.2-15 Description Summary A stack-based buffer overflow exists in the ImageMagick FTXT image reader. A crafted FTXT file can cause out-of-bounds writes on the stack, leading to a crash. ================================================================= ==3537074==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffee4850ef0 at pc 0x5607c408fb33 bp 0x7ffee484fe50 sp 0x7ffee484fe40 WRITE of size 1 at 0x7ffee4850ef0 thread T0 Severity High 7.4/ 10 CVSS v3 base metrics Attack vector Network Attack complexity High Privileges required None User interaction None Scope Unchanged Confidentiality None Integrity High Availability High CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H CVE ID CVE-2026-25967 Weaknesses Weakness CWE-121 Credits @ylwango613 ylwango613 Reporter _____________________________________________________________________ MSL attribute stack buffer overflow leads to out of bounds write High dlemstra published GHSA-3mwp-xqp2-q6ph Feb 23, 2026 Package ImageMagick (C/C++) Affected versions < 7.1.2-15 < 6.9.13-40 Patched versions 7.1.2-15 6.9.13-40 Description A stack buffer overflow occurs when processing the an attribute in msl.c. A long value overflows a fixed-size stack buffer, leading to memory corruption. ================================================================= ==278522==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffdb8c76984 at pc 0x55a4bf16f507 bp 0x7ffdb8c75bc0 sp 0x7ffdb8c75bb0 WRITE of size 1 at 0x7ffdb8c76984 thread T0 Severity High 7.4/ 10 CVSS v3 base metrics Attack vector Network Attack complexity High Privileges required None User interaction None Scope Unchanged Confidentiality High Integrity None Availability High CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H CVE ID CVE-2026-25968 Weaknesses Weakness CWE-121 Credits @ylwango613 ylwango613 Reporter _____________________________________________________________________ Possible Heap Information Disclosure in PSD ZIP Decompression High dlemstra published GHSA-96pc-27rx-pr36 Feb 23, 2026 Package ImageMagick (C/C++) Affected versions < 7.1.2-15 < 6.9.13-40 Patched versions 7.1.2-15 6.9.13-40 Description Description A heap information disclosure vulnerability exists in ImageMagick's PSD (Adobe Photoshop) format handler. When processing a maliciously crafted PSD file containing ZIP-compressed layer data that decompresses to less than the expected size, uninitialized heap memory is leaked into the output image. Expected Impact Information disclosure leading to potential exposure of sensitive data from server memory. Severity High 7.5/ 10 CVSS v3 base metrics Attack vector Network Attack complexity Low Privileges required None User interaction None Scope Unchanged Confidentiality High Integrity None Availability None CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVE ID CVE-2026-24481 Weaknesses Weakness CWE-125 _____________________________________________________________________ An infinite loop vulnerability when parsing a PCD file High dlemstra published GHSA-pqgj-2p96-rx85 Feb 23, 2026 Package ImageMagick (C/C++) Affected versions < 7.1.2-15 < 6.9.13-40 Patched versions 7.1.2-15 6.9.13-40 Description When a PCD file does not contain a valid marker, the DecodeImage() function becomes trapped in an infinite loop while searching for the marker, causing the program to become unresponsive and continuously consume CPU resources, ultimately leading to system resource exhaustion and denial of service. Severity High 7.5/ 10 CVSS v3 base metrics Attack vector Network Attack complexity Low Privileges required None User interaction None Scope Unchanged Confidentiality None Integrity None Availability High CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE ID CVE-2026-24485 Weaknesses Weakness CWE-400 Credits @ylwango613 ylwango613 Reporter ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================