CVE-2026-26284

Description

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, ImageMagick lacks proper boundary checking when processing Huffman-coded data from PCD (Photo CD) files. The decoder contains an function that has an incorrect initialization that could cause an out of bounds read. Versions 7.1.2-15 and 6.9.13-40 contain a patch.

How to fix CVE-2026-26284

To remediate CVE-2026-26284, upgrade the affected package to a fixed version below.

—upgrade to 8:6.9.11.60+dfsg-1.3+deb11u11 or later
—upgrade to 14.10.3 or later
—upgrade to 14.10.3 or later
—upgrade to 14.10.3 or later
—upgrade to 14.10.3 or later
—upgrade to 14.10.3 or later
—upgrade to 14.10.3 or later
—upgrade to 14.10.3 or later
—upgrade to 14.10.3 or later
—upgrade to 14.10.3 or later
—upgrade to 14.10.3 or later
—upgrade to 14.10.3 or later
—upgrade to 14.10.3 or later
—upgrade to 14.10.3 or later
—upgrade to 14.10.3 or later

Is CVE-2026-26284 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (20)

from 0, < 8:6.9.11.60+dfsg-1.3+deb11u11
from 0, < 14.10.3
from 0, < 14.10.3
from 0, < 14.10.3
from 0, < 14.10.3
from 0, < 14.10.3
from 0, < 14.10.3
from 0, < 14.10.3
from 0, < 14.10.3
from 0, < 14.10.3

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L