VYPR
← All advisories
Moderate severityNVD Advisory· Published Feb 24, 2026· Updated Feb 24, 2026

ImageMagick has heap overflow in pcd decoder that leads to out of bounds read.

CVE-2026-26284

Description

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, ImageMagick lacks proper boundary checking when processing Huffman-coded data from PCD (Photo CD) files. The decoder contains an function that has an incorrect initialization that could cause an out of bounds read. Versions 7.1.2-15 and 6.9.13-40 contain a patch.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

ImageMagick PCD decoder out-of-bounds read due to missing boundary check on Huffman-coded data, leading to potential information disclosure or crash.

CVE-2026-26284 is a vulnerability in ImageMagick's PCD (Photo CD) image decoder [1]. The software fails to properly validate boundary conditions when processing Huffman-coded data from PCD files. The decoder function contains an incorrect initialization that can lead to an out-of-bounds read [2][4].

An attacker can exploit this issue by crafting a malicious PCD file and delivering it to an application that uses ImageMagick for image processing. The vulnerability does not require authentication or user interaction beyond opening the file, and it can be triggered remotely if the application processes user-supplied images [4].

Successful exploitation could allow the attacker to read memory beyond the intended buffer boundaries, potentially leaking sensitive information or causing a denial of service via a crash. The CVSS vector (not fully assessed by NVD at publication) suggests the impact on confidentiality, integrity, and availability could vary [2][4].

The issue is resolved in ImageMagick versions 7.1.2-15 and 6.9.13-40. Users are advised to update to these or later versions. No workaround is documented, but applying a security policy to restrict processing of PCD files may reduce risk [2][4].

References
  1. GitHub - ImageMagick/ImageMagick: ImageMagick is a free, open-source software suite for creating, editing, converting, and displaying images. It supports 200+ formats and offers powerful command-line tools and APIs for automation, scripting, and integration across platforms.
  2. NVD - CVE-2026-26284
  3. Heap overflow in pcd decoder leads to out of bounds read.

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
Magick.NET-Q16-AnyCPUNuGet
< 14.10.314.10.3
Magick.NET-Q16-HDRI-AnyCPUNuGet
< 14.10.314.10.3
Magick.NET-Q16-HDRI-OpenMP-arm64NuGet
< 14.10.314.10.3
Magick.NET-Q16-HDRI-arm64NuGet
< 14.10.314.10.3
Magick.NET-Q16-HDRI-x64NuGet
< 14.10.314.10.3
Magick.NET-Q16-HDRI-x86NuGet
< 14.10.314.10.3
Magick.NET-Q16-OpenMP-arm64NuGet
< 14.10.314.10.3
Magick.NET-Q16-OpenMP-x64NuGet
< 14.10.314.10.3
Magick.NET-Q16-OpenMP-x86NuGet
< 14.10.314.10.3
Magick.NET-Q16-arm64NuGet
< 14.10.314.10.3
Magick.NET-Q16-x64NuGet
< 14.10.314.10.3
Magick.NET-Q16-x86NuGet
< 14.10.314.10.3
Magick.NET-Q16-HDRI-OpenMP-x64NuGet
< 14.10.314.10.3
Magick.NET-Q8-AnyCPUNuGet
< 14.10.314.10.3
Magick.NET-Q8-OpenMP-arm64NuGet
< 14.10.314.10.3
Magick.NET-Q8-OpenMP-x64NuGet
< 14.10.314.10.3
Magick.NET-Q8-arm64NuGet
< 14.10.314.10.3
Magick.NET-Q8-x64NuGet
< 14.10.314.10.3
Magick.NET-Q8-x86NuGet
< 14.10.314.10.3

Affected products

2
  • ImageMagick/Imagemagickllm-fuzzy2 versions
    <7.1.2-15, <6.9.13-40+ 1 more
    • (no CPE)range: <7.1.2-15, <6.9.13-40
    • (no CPE)range: >= 7.0.0, < 7.1.2-15

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

4

News mentions

0

No linked articles in our index yet.