CVE-2026-26284
📋 TL;DR
ImageMagick versions before 7.1.2-15 and 6.9.13-40 contain an out-of-bounds read vulnerability when processing Huffman-coded data in PCD files due to improper boundary checking. This could allow attackers to read sensitive memory contents or cause denial of service. Any system using vulnerable ImageMagick versions to process untrusted PCD files is affected.
💻 Affected Systems
- ImageMagick
📦 What is this software?
Imagemagick by Imagemagick
Imagemagick by Imagemagick
⚠️ Risk & Real-World Impact
Worst Case
Information disclosure through memory read, potential denial of service, or as part of a larger exploit chain leading to remote code execution.
Likely Case
Denial of service through application crash when processing malicious PCD files.
If Mitigated
Minimal impact if proper input validation and sandboxing are implemented.
🎯 Exploit Status
Exploitation requires crafting malicious PCD files. No public exploit code is known at this time.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 7.1.2-15 and 6.9.13-40
Vendor Advisory: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-wrhr-rf8j-r842
Restart Required: No
Instructions:
1. Update ImageMagick to version 7.1.2-15 or later for ImageMagick 7, or 6.9.13-40 or later for ImageMagick 6. 2. Use package manager: 'sudo apt update && sudo apt upgrade imagemagick' on Debian/Ubuntu or 'sudo yum update imagemagick' on RHEL/CentOS. 3. For source installations, download and compile from the official ImageMagick repository.
🔧 Temporary Workarounds
Disable PCD format support
allRemove PCD format support from ImageMagick policy configuration to prevent processing of vulnerable file type.
Edit /etc/ImageMagick-6/policy.xml or /etc/ImageMagick-7/policy.xml
Add: <policy domain="delegate" rights="none" pattern="PCD" />
Input validation for PCD files
allImplement server-side validation to reject or sanitize PCD file uploads before ImageMagick processing.
🧯 If You Can't Patch
- Implement strict input validation to block PCD file uploads or processing.
- Run ImageMagick in a sandboxed environment with limited privileges to contain potential impact.
🔍 How to Verify
Check if Vulnerable:
Check ImageMagick version with 'convert --version' or 'magick --version'. If version is below 7.1.2-15 (for ImageMagick 7) or below 6.9.13-40 (for ImageMagick 6), system is vulnerable.Check Version:
convert --version | head -1 || magick --version | head -1Verify Fix Applied:
After update, verify version is 7.1.2-15 or higher (ImageMagick 7) or 6.9.13-40 or higher (ImageMagick 6) using 'convert --version' or 'magick --version'.📡 Detection & Monitoring
Log Indicators:
- Application crashes or abnormal termination when processing PCD files
- Error messages related to memory access violations in ImageMagick logs
Network Indicators:
- Unusual uploads of PCD files to web applications
- Increased error rates from image processing services
SIEM Query:
source="*imagemagick*" AND (error OR crash OR "segmentation fault") AND PCD