{ "document": { "aggregate_severity": { "text": "Important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "TuxCare License Agreement", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Cloud Linux Inc. and provide a link to the original.", "title": "Terms of Use" }, { "category": "details", "text": "CVE-2026-28494: fix stack buffer overflow in morphology kernel parsing\n- CVE-2026-28691: fix uninitialized pointer dereference in JBIG decoder\n- CVE-2026-25989: fix off-by-one boundary check in CastDouble functions\n- CVE-2026-25985: fix memory allocation without limits in SVG decoder\n- CVE-2026-24485: fix infinite loop in PCD decoder\n- CVE-2025-66628: fix integer overflow in TIM decoder on 32-bit systems\n- CVE-2026-28693: fix integer overflow in DIB/BMP coder", "title": "Details" } ], "publisher": { "category": "vendor", "contact_details": "https://tuxcare.com/contact/", "name": "TuxCare", "namespace": "https://tuxcare.com/" }, "references": [ { "category": "self", "summary": "https://cve.tuxcare.com/els/releases/CLSA-2026:1774999144", "url": "https://cve.tuxcare.com/els/releases/CLSA-2026:1774999144" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.tuxcare.com/csaf/v2/els_os/almalinux9.2esu/advisories/2026/clsa-2026_1774999144.json" } ], "tracking": { "current_release_date": "2026-03-31T23:20:12Z", "generator": { "date": "2026-03-31T23:20:12Z", "engine": { "name": "pyCSAF" } }, "id": "CLSA-2026:1774999144", "initial_release_date": "2026-03-31T23:20:12Z", "revision_history": [ { "date": "2026-03-31T23:20:12Z", "number": "1", "summary": "Initial version" } ], "status": "final", "version": "1" }, "title": "ImageMagick: Fix of 7 CVEs" }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "AlmaLinux 9.2", "product": { "name": "AlmaLinux 9.2", "product_id": "AlmaLinux-9.2", "product_identification_helper": { "cpe": "cpe:2.3:o:almalinux:almalinux:9.2:*:*:*:*:*:*:*" } } } ], "category": "product_family", "name": "AlmaLinux" } ], "category": "vendor", "name": "AlmaLinux OS Foundation" }, { "branches": [ { "branches": [ { "category": "product_version", "name": "ImageMagick-devel-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "product": { "name": "ImageMagick-devel-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "product_id": "ImageMagick-devel-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/ImageMagick-devel@6.9.13.25-1.el9_2.tuxcare.els5?arch=x86_64" } } }, { "category": "product_version", "name": "ImageMagick-libs-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "product": { "name": "ImageMagick-libs-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "product_id": "ImageMagick-libs-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/ImageMagick-libs@6.9.13.25-1.el9_2.tuxcare.els5?arch=x86_64" } } }, { "category": "product_version", "name": "ImageMagick-perl-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "product": { "name": "ImageMagick-perl-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "product_id": "ImageMagick-perl-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/ImageMagick-perl@6.9.13.25-1.el9_2.tuxcare.els5?arch=x86_64" } } }, { "category": "product_version", "name": "ImageMagick-doc-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "product": { "name": "ImageMagick-doc-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "product_id": "ImageMagick-doc-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/ImageMagick-doc@6.9.13.25-1.el9_2.tuxcare.els5?arch=x86_64" } } }, { "category": "product_version", "name": "ImageMagick-c++-devel-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "product": { "name": "ImageMagick-c++-devel-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "product_id": "ImageMagick-c++-devel-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/ImageMagick-c++-devel@6.9.13.25-1.el9_2.tuxcare.els5?arch=x86_64" } } }, { "category": "product_version", "name": "ImageMagick-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "product": { "name": "ImageMagick-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "product_id": "ImageMagick-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/ImageMagick@6.9.13.25-1.el9_2.tuxcare.els5?arch=x86_64" } } }, { "category": "product_version", "name": "ImageMagick-c++-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "product": { "name": "ImageMagick-c++-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "product_id": "ImageMagick-c++-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/ImageMagick-c++@6.9.13.25-1.el9_2.tuxcare.els5?arch=x86_64" } } }, { "category": "product_version", "name": "ImageMagick-djvu-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "product": { "name": "ImageMagick-djvu-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "product_id": "ImageMagick-djvu-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/ImageMagick-djvu@6.9.13.25-1.el9_2.tuxcare.els5?arch=x86_64" } } } ], "category": "architecture", "name": "x86_64" } ], "category": "vendor", "name": "TuxCare" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "ImageMagick-devel-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64 as a component of AlmaLinux 9.2", "product_id": "AlmaLinux-9.2:ImageMagick-devel-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64" }, "product_reference": "ImageMagick-devel-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "relates_to_product_reference": "AlmaLinux-9.2" }, { "category": "default_component_of", "full_product_name": { "name": "ImageMagick-libs-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64 as a component of AlmaLinux 9.2", "product_id": "AlmaLinux-9.2:ImageMagick-libs-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64" }, "product_reference": "ImageMagick-libs-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "relates_to_product_reference": "AlmaLinux-9.2" }, { "category": "default_component_of", "full_product_name": { "name": "ImageMagick-perl-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64 as a component of AlmaLinux 9.2", "product_id": "AlmaLinux-9.2:ImageMagick-perl-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64" }, "product_reference": "ImageMagick-perl-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "relates_to_product_reference": "AlmaLinux-9.2" }, { "category": "default_component_of", "full_product_name": { "name": "ImageMagick-doc-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64 as a component of AlmaLinux 9.2", "product_id": "AlmaLinux-9.2:ImageMagick-doc-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64" }, "product_reference": "ImageMagick-doc-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "relates_to_product_reference": "AlmaLinux-9.2" }, { "category": "default_component_of", "full_product_name": { "name": "ImageMagick-c++-devel-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64 as a component of AlmaLinux 9.2", "product_id": "AlmaLinux-9.2:ImageMagick-c++-devel-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64" }, "product_reference": "ImageMagick-c++-devel-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "relates_to_product_reference": "AlmaLinux-9.2" }, { "category": "default_component_of", "full_product_name": { "name": "ImageMagick-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64 as a component of AlmaLinux 9.2", "product_id": "AlmaLinux-9.2:ImageMagick-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64" }, "product_reference": "ImageMagick-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "relates_to_product_reference": "AlmaLinux-9.2" }, { "category": "default_component_of", "full_product_name": { "name": "ImageMagick-c++-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64 as a component of AlmaLinux 9.2", "product_id": "AlmaLinux-9.2:ImageMagick-c++-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64" }, "product_reference": "ImageMagick-c++-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "relates_to_product_reference": "AlmaLinux-9.2" }, { "category": "default_component_of", "full_product_name": { "name": "ImageMagick-djvu-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64 as a component of AlmaLinux 9.2", "product_id": "AlmaLinux-9.2:ImageMagick-djvu-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64" }, "product_reference": "ImageMagick-djvu-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "relates_to_product_reference": "AlmaLinux-9.2" } ] }, "vulnerabilities": [ { "cve": "CVE-2026-24485", "cwe": { "id": "CWE-835", "name": "Loop with Unreachable Exit Condition ('Infinite Loop')" }, "notes": [ { "category": "description", "text": "ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, when a PCD file does not contain a valid Sync marker, the DecodeImage() function becomes trapped in an infinite loop while searching for the Sync marker, causing the program to become unresponsive and continuously consume CPU resources, ultimately leading to system resource exhaustion and denial of service. Versions 7.1.2-15 and 6.9.13-40 contain a patch.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AlmaLinux-9.2:ImageMagick-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "AlmaLinux-9.2:ImageMagick-c++-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "AlmaLinux-9.2:ImageMagick-c++-devel-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "AlmaLinux-9.2:ImageMagick-devel-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "AlmaLinux-9.2:ImageMagick-djvu-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "AlmaLinux-9.2:ImageMagick-doc-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "AlmaLinux-9.2:ImageMagick-libs-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "AlmaLinux-9.2:ImageMagick-perl-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2026-24485" } ], "release_date": "2026-02-24T00:34:00Z", "remediations": [ { "category": "vendor_fix", "date": "2026-03-31T23:19:07.376704Z", "details": "Details on how to apply the fix are available at: https://cve.tuxcare.com/els/releases/CLSA-2026:1774999144", "product_ids": [ "AlmaLinux-9.2:ImageMagick-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "AlmaLinux-9.2:ImageMagick-c++-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "AlmaLinux-9.2:ImageMagick-c++-devel-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "AlmaLinux-9.2:ImageMagick-devel-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "AlmaLinux-9.2:ImageMagick-djvu-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "AlmaLinux-9.2:ImageMagick-doc-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "AlmaLinux-9.2:ImageMagick-libs-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "AlmaLinux-9.2:ImageMagick-perl-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64" ], "url": "https://cve.tuxcare.com/els/releases/CLSA-2026:1774999144" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "AlmaLinux-9.2:ImageMagick-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "AlmaLinux-9.2:ImageMagick-c++-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "AlmaLinux-9.2:ImageMagick-c++-devel-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "AlmaLinux-9.2:ImageMagick-devel-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "AlmaLinux-9.2:ImageMagick-djvu-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "AlmaLinux-9.2:ImageMagick-doc-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "AlmaLinux-9.2:ImageMagick-libs-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "AlmaLinux-9.2:ImageMagick-perl-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Important" } ] }, { "cve": "CVE-2026-28691", "cwe": { "id": "CWE-824", "name": "Access of Uninitialized Pointer" }, "notes": [ { "category": "description", "text": "ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-16 and 6.9.13-41, an uninitialized pointer dereference vulnerability exists in the JBIG decoder due to a missing check. This vulnerability is fixed in 7.1.2-16 and 6.9.13-41.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AlmaLinux-9.2:ImageMagick-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "AlmaLinux-9.2:ImageMagick-c++-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "AlmaLinux-9.2:ImageMagick-c++-devel-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "AlmaLinux-9.2:ImageMagick-devel-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "AlmaLinux-9.2:ImageMagick-djvu-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "AlmaLinux-9.2:ImageMagick-doc-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "AlmaLinux-9.2:ImageMagick-libs-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "AlmaLinux-9.2:ImageMagick-perl-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2026-28691" } ], "release_date": "2026-03-09T21:40:00Z", "remediations": [ { "category": "vendor_fix", "date": "2026-03-31T23:19:07.376704Z", "details": "Details on how to apply the fix are available at: https://cve.tuxcare.com/els/releases/CLSA-2026:1774999144", "product_ids": [ "AlmaLinux-9.2:ImageMagick-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "AlmaLinux-9.2:ImageMagick-c++-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "AlmaLinux-9.2:ImageMagick-c++-devel-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "AlmaLinux-9.2:ImageMagick-devel-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "AlmaLinux-9.2:ImageMagick-djvu-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "AlmaLinux-9.2:ImageMagick-doc-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "AlmaLinux-9.2:ImageMagick-libs-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "AlmaLinux-9.2:ImageMagick-perl-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64" ], "url": "https://cve.tuxcare.com/els/releases/CLSA-2026:1774999144" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "AlmaLinux-9.2:ImageMagick-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "AlmaLinux-9.2:ImageMagick-c++-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "AlmaLinux-9.2:ImageMagick-c++-devel-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "AlmaLinux-9.2:ImageMagick-devel-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "AlmaLinux-9.2:ImageMagick-djvu-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "AlmaLinux-9.2:ImageMagick-doc-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "AlmaLinux-9.2:ImageMagick-libs-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "AlmaLinux-9.2:ImageMagick-perl-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Important" } ] }, { "cve": "CVE-2026-25985", "cwe": { "id": "CWE-770", "name": "Allocation of Resources Without Limits or Throttling" }, "notes": [ { "category": "description", "text": "ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, a crafted SVG file containing an malicious element causes ImageMagick to attempt to allocate ~674 GB of memory, leading to an out-of-memory abort. Versions 7.1.2-15 and 6.9.13-40 contain a patch.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AlmaLinux-9.2:ImageMagick-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "AlmaLinux-9.2:ImageMagick-c++-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "AlmaLinux-9.2:ImageMagick-c++-devel-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "AlmaLinux-9.2:ImageMagick-devel-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "AlmaLinux-9.2:ImageMagick-djvu-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "AlmaLinux-9.2:ImageMagick-doc-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "AlmaLinux-9.2:ImageMagick-libs-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "AlmaLinux-9.2:ImageMagick-perl-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2026-25985" } ], "release_date": "2026-02-24T01:43:00Z", "remediations": [ { "category": "vendor_fix", "date": "2026-03-31T23:19:07.376704Z", "details": "Details on how to apply the fix are available at: https://cve.tuxcare.com/els/releases/CLSA-2026:1774999144", "product_ids": [ "AlmaLinux-9.2:ImageMagick-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "AlmaLinux-9.2:ImageMagick-c++-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "AlmaLinux-9.2:ImageMagick-c++-devel-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "AlmaLinux-9.2:ImageMagick-devel-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "AlmaLinux-9.2:ImageMagick-djvu-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "AlmaLinux-9.2:ImageMagick-doc-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "AlmaLinux-9.2:ImageMagick-libs-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "AlmaLinux-9.2:ImageMagick-perl-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64" ], "url": "https://cve.tuxcare.com/els/releases/CLSA-2026:1774999144" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "AlmaLinux-9.2:ImageMagick-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "AlmaLinux-9.2:ImageMagick-c++-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "AlmaLinux-9.2:ImageMagick-c++-devel-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "AlmaLinux-9.2:ImageMagick-devel-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "AlmaLinux-9.2:ImageMagick-djvu-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "AlmaLinux-9.2:ImageMagick-doc-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "AlmaLinux-9.2:ImageMagick-libs-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "AlmaLinux-9.2:ImageMagick-perl-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Important" } ] }, { "cve": "CVE-2025-66628", "cwe": { "id": "CWE-125", "name": "Out-of-bounds Read" }, "notes": [ { "category": "description", "text": "ImageMagick is a software suite to create, edit, compose, or convert bitmap images. In versions 7.1.2-9 and prior, the TIM (PSX TIM) image parser contains a critical integer overflow vulnerability in its ReadTIMImage function (coders/tim.c). The code reads width and height (16-bit values) from the file header and calculates image_size = 2 * width * height without checking for overflow. On 32-bit systems (or where size_t is 32-bit), this calculation can overflow if width and height are large (e.g., 65535), wrapping around to a small value. This results in a small heap allocation via AcquireQuantumMemory and later operations relying on the dimensions can trigger an out of bounds read. This issue is fixed in version 7.1.2-10.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AlmaLinux-9.2:ImageMagick-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "AlmaLinux-9.2:ImageMagick-c++-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "AlmaLinux-9.2:ImageMagick-c++-devel-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "AlmaLinux-9.2:ImageMagick-devel-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "AlmaLinux-9.2:ImageMagick-djvu-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "AlmaLinux-9.2:ImageMagick-doc-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "AlmaLinux-9.2:ImageMagick-libs-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "AlmaLinux-9.2:ImageMagick-perl-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2025-66628" } ], "release_date": "2025-12-10T22:04:00Z", "remediations": [ { "category": "vendor_fix", "date": "2026-03-31T23:19:07.376704Z", "details": "Details on how to apply the fix are available at: https://cve.tuxcare.com/els/releases/CLSA-2026:1774999144", "product_ids": [ "AlmaLinux-9.2:ImageMagick-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "AlmaLinux-9.2:ImageMagick-c++-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "AlmaLinux-9.2:ImageMagick-c++-devel-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "AlmaLinux-9.2:ImageMagick-devel-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "AlmaLinux-9.2:ImageMagick-djvu-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "AlmaLinux-9.2:ImageMagick-doc-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "AlmaLinux-9.2:ImageMagick-libs-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "AlmaLinux-9.2:ImageMagick-perl-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64" ], "url": "https://cve.tuxcare.com/els/releases/CLSA-2026:1774999144" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1" }, "products": [ "AlmaLinux-9.2:ImageMagick-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "AlmaLinux-9.2:ImageMagick-c++-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "AlmaLinux-9.2:ImageMagick-c++-devel-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "AlmaLinux-9.2:ImageMagick-devel-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "AlmaLinux-9.2:ImageMagick-djvu-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "AlmaLinux-9.2:ImageMagick-doc-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "AlmaLinux-9.2:ImageMagick-libs-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "AlmaLinux-9.2:ImageMagick-perl-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Important" } ] }, { "cve": "CVE-2026-28494", "cwe": { "id": "CWE-120", "name": "Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')" }, "notes": [ { "category": "description", "text": "ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-16 and 6.9.13-41, a stack buffer overflow exists in ImageMagick's morphology kernel parsing functions. User-controlled kernel strings exceeding a buffer are copied into fixed-size stack buffers via memcpy without bounds checking, resulting in stack corruption. This vulnerability is fixed in 7.1.2-16 and 6.9.13-41.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AlmaLinux-9.2:ImageMagick-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "AlmaLinux-9.2:ImageMagick-c++-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "AlmaLinux-9.2:ImageMagick-c++-devel-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "AlmaLinux-9.2:ImageMagick-devel-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "AlmaLinux-9.2:ImageMagick-djvu-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "AlmaLinux-9.2:ImageMagick-doc-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "AlmaLinux-9.2:ImageMagick-libs-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "AlmaLinux-9.2:ImageMagick-perl-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2026-28494" } ], "release_date": "2026-03-09T21:31:00Z", "remediations": [ { "category": "vendor_fix", "date": "2026-03-31T23:19:07.376704Z", "details": "Details on how to apply the fix are available at: https://cve.tuxcare.com/els/releases/CLSA-2026:1774999144", "product_ids": [ "AlmaLinux-9.2:ImageMagick-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "AlmaLinux-9.2:ImageMagick-c++-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "AlmaLinux-9.2:ImageMagick-c++-devel-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "AlmaLinux-9.2:ImageMagick-devel-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "AlmaLinux-9.2:ImageMagick-djvu-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "AlmaLinux-9.2:ImageMagick-doc-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "AlmaLinux-9.2:ImageMagick-libs-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "AlmaLinux-9.2:ImageMagick-perl-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64" ], "url": "https://cve.tuxcare.com/els/releases/CLSA-2026:1774999144" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H", "version": "3.1" }, "products": [ "AlmaLinux-9.2:ImageMagick-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "AlmaLinux-9.2:ImageMagick-c++-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "AlmaLinux-9.2:ImageMagick-c++-devel-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "AlmaLinux-9.2:ImageMagick-devel-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "AlmaLinux-9.2:ImageMagick-djvu-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "AlmaLinux-9.2:ImageMagick-doc-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "AlmaLinux-9.2:ImageMagick-libs-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "AlmaLinux-9.2:ImageMagick-perl-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Important" } ] }, { "cve": "CVE-2026-25989", "cwe": { "id": "CWE-193", "name": "Off-by-one Error" }, "notes": [ { "category": "description", "text": "ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, a crafted SVG file can cause a denial of service. An off-by-one boundary check (`>` instead of `>=`) that allows bypass the guard and reach an undefined `(size_t)` cast. Versions 7.1.2-15 and 6.9.13-40 contain a patch.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AlmaLinux-9.2:ImageMagick-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "AlmaLinux-9.2:ImageMagick-c++-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "AlmaLinux-9.2:ImageMagick-c++-devel-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "AlmaLinux-9.2:ImageMagick-devel-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "AlmaLinux-9.2:ImageMagick-djvu-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "AlmaLinux-9.2:ImageMagick-doc-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "AlmaLinux-9.2:ImageMagick-libs-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "AlmaLinux-9.2:ImageMagick-perl-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2026-25989" } ], "release_date": "2026-02-24T01:50:00Z", "remediations": [ { "category": "vendor_fix", "date": "2026-03-31T23:19:07.376704Z", "details": "Details on how to apply the fix are available at: https://cve.tuxcare.com/els/releases/CLSA-2026:1774999144", "product_ids": [ "AlmaLinux-9.2:ImageMagick-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "AlmaLinux-9.2:ImageMagick-c++-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "AlmaLinux-9.2:ImageMagick-c++-devel-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "AlmaLinux-9.2:ImageMagick-devel-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "AlmaLinux-9.2:ImageMagick-djvu-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "AlmaLinux-9.2:ImageMagick-doc-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "AlmaLinux-9.2:ImageMagick-libs-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "AlmaLinux-9.2:ImageMagick-perl-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64" ], "url": "https://cve.tuxcare.com/els/releases/CLSA-2026:1774999144" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "AlmaLinux-9.2:ImageMagick-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "AlmaLinux-9.2:ImageMagick-c++-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "AlmaLinux-9.2:ImageMagick-c++-devel-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "AlmaLinux-9.2:ImageMagick-devel-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "AlmaLinux-9.2:ImageMagick-djvu-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "AlmaLinux-9.2:ImageMagick-doc-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "AlmaLinux-9.2:ImageMagick-libs-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "AlmaLinux-9.2:ImageMagick-perl-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Important" } ] }, { "cve": "CVE-2026-28693", "cwe": { "id": "CWE-190", "name": "Integer Overflow or Wraparound" }, "notes": [ { "category": "description", "text": "ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-16 and 6.9.13-41, an integer overflow in DIB coder can result in out of bounds read or write. This vulnerability is fixed in 7.1.2-16 and 6.9.13-41.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AlmaLinux-9.2:ImageMagick-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "AlmaLinux-9.2:ImageMagick-c++-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "AlmaLinux-9.2:ImageMagick-c++-devel-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "AlmaLinux-9.2:ImageMagick-devel-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "AlmaLinux-9.2:ImageMagick-djvu-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "AlmaLinux-9.2:ImageMagick-doc-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "AlmaLinux-9.2:ImageMagick-libs-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "AlmaLinux-9.2:ImageMagick-perl-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2026-28693" } ], "release_date": "2026-03-09T21:42:00Z", "remediations": [ { "category": "vendor_fix", "date": "2026-03-31T23:19:07.376704Z", "details": "Details on how to apply the fix are available at: https://cve.tuxcare.com/els/releases/CLSA-2026:1774999144", "product_ids": [ "AlmaLinux-9.2:ImageMagick-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "AlmaLinux-9.2:ImageMagick-c++-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "AlmaLinux-9.2:ImageMagick-c++-devel-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "AlmaLinux-9.2:ImageMagick-devel-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "AlmaLinux-9.2:ImageMagick-djvu-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "AlmaLinux-9.2:ImageMagick-doc-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "AlmaLinux-9.2:ImageMagick-libs-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "AlmaLinux-9.2:ImageMagick-perl-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64" ], "url": "https://cve.tuxcare.com/els/releases/CLSA-2026:1774999144" } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "AlmaLinux-9.2:ImageMagick-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "AlmaLinux-9.2:ImageMagick-c++-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "AlmaLinux-9.2:ImageMagick-c++-devel-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "AlmaLinux-9.2:ImageMagick-devel-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "AlmaLinux-9.2:ImageMagick-djvu-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "AlmaLinux-9.2:ImageMagick-doc-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "AlmaLinux-9.2:ImageMagick-libs-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64", "AlmaLinux-9.2:ImageMagick-perl-0:6.9.13.25-1.el9_2.tuxcare.els5.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Important" } ] } ] }