VYPR
Vypr IntelligenceAI-generatedJun 23, 2026· 5 CVEs

ImageMagick: Five CVEs Disclosed Across SVG, PCD, PSB, and TXT Decoders

ImageMagick disclosed five vulnerabilities — including a command injection in the SVG decoder — across its image processing pipeline, all patched in versions 7.1.2-15 and 6.9.13-40.

Key findings

  • Five CVEs disclosed June 21–23, 2026, affecting ImageMagick 7.1.x and 6.9.x
  • CVE-2026-56379 is a command injection in the SVG decoder via MVG commands
  • Two heap out-of-bounds reads: PCD decoder (CVE-2026-56378) and PSB RLE (CVE-2026-56367)
  • Heap use-after-free in meta coder (CVE-2026-56376) causes denial of service
  • Memory leak in TXT file processing (CVE-2026-56371) can exhaust server memory
  • All bugs fixed in ImageMagick 7.1.2-15 and 6.9.13-40

ImageMagick disclosed five security vulnerabilities on June 21–23, 2026, spanning command injection, use-after-free, memory leaks, and out-of-bounds reads in its image decoding pipeline. The bugs affect both the 7.1.x and 6.9.x branches and were fixed in releases 7.1.2-15 and 6.9.13-40. Given ImageMagick's widespread use in web applications, media platforms, and server-side image processing, the batch represents a meaningful attack surface for denial-of-service, information disclosure, and — in the most severe case — arbitrary command execution.

Command injection in the SVG decoder

The most critical of the five is CVE-2026-56379 (CVSS not provided in the input, but described as a command injection), which resides in the SVG decoder. An attacker can craft a malicious SVG file that injects arbitrary Magick Vector Graphics (MVG) drawing commands. Because MVG commands are interpreted during rendering, this opens a path to execute arbitrary commands on the server. This is the kind of bug that could be weaponized in a drive-by download scenario or via image upload endpoints.

Memory safety issues in PCD, PSB, and meta coders

Two heap out-of-bounds reads were disclosed: CVE-2026-56378 in the PCD decoder and CVE-2026-56367 in the PSB (Photoshop Big) RLE decoding path. The PCD bug (published June 21) triggers a one-byte out-of-bounds read in the DecodeImage loop, potentially leaking an adjacent heap byte. The PSB bug, also published June 21, stems from an integer overflow in ReadPSDChannelRLE that causes a heap out-of-bounds read on 32-bit builds. Both can lead to denial of service or information disclosure.

CVE-2026-56376 is a heap use-after-free in the meta coder: when memory allocation fails, a single byte is written to a stale pointer. Remote attackers can trigger this by processing a specially crafted image file, causing a denial of service.

Memory leak in TXT file processing

CVE-2026-56371 describes a memory leak in coders/txt.c. When processing TXT files with a texture attribute, the texture object allocated via ReadImage is not released if GetTypeMetrics fails. Repeated processing of such files can exhaust server memory over time.

Patch and mitigation

All five CVEs are addressed in ImageMagick 7.1.2-15 and 6.9.13-40. Users running older versions — particularly those exposing ImageMagick to user-submitted images via web applications — should update immediately. No in-the-wild exploitation has been reported in the input, but the command injection bug in particular warrants urgent patching.

Bottom line

This batch is a reminder that ImageMagick's sprawling codec support — SVG, PCD, PSB, TXT, and meta — continues to be a rich source of memory corruption and injection flaws. The disclosure is tightly clustered (two days) and fixed in a single pair of releases, making it straightforward for administrators to remediate. Organizations that process untrusted images should prioritize the update, especially for the SVG command injection vector.

AI-written article. Grounded in 5 CVE records listed below.