Update Info

SUSE-PackageHub-16.0-618

Security update for ImageMagick

Type: security
Severity: important
Issued: 2026-04-22
Description:
This update for ImageMagick fixes the following issues:

- CVE-2026-32259: stack out-of-bounds write due to a memory allocation failure in the sixel encoder can lead to a crash
  (bsc#1259612).
- CVE-2026-32636: out-of-bounds write of a single zero byte due to bug the `NewXMLTree` method can lead to denial of
  service (bsc#1259872).
- CVE-2026-33535: out-of-bounds write of a zero byte in X11 `display` interaction path can lead to a crash
  (bsc#1260874).
- CVE-2026-33536: stack out-of-bounds write due to incorrect return value on certain platforms can lead to a denial of
  service (bsc#1260879).
- CVE-2026-33899: out-of-bounds write of single zero byte in XML parsing can lead to a denial of service (bsc#1262154).
- CVE-2026-33900: heap out-of-bounds write due to integer truncation in viff encoder can lead to a crash (bsc#1262156).
- CVE-2026-33901: heap buffer overflow in the MVG decoder can lead to memory corruption or a crash (bsc#1262155).
- CVE-2026-33902: stack buffer overflow in the FX expression parser can lead to a process crash (bsc#1262153).
- CVE-2026-33905: out-of-bounds read in `-sample` operation can lead to a denial of service (bsc#1262097).
- CVE-2026-33908: recursive execution with no depth limit imposed when processing XML files can lead to resource
  exhaustion and a denial of service (bsc#1262152).
- CVE-2026-34238: heap buffer overflow due to integer overflow in the despeckle operation can lead to a denial of
  service (bsc#1262147).
- CVE-2026-40169: out-of-bounds heap write when processing a crafted image and writing a YAML or JSON output can lead
  to a crash (bsc#1262150).
- CVE-2026-40183: heap out-of-bounds write in the JXL encoder can lead to a denial of service (bsc#1262145).
- CVE-2026-40310: heap out-of-bounds write in the JP2 encoder can lead to a denial of service (bsc#1262148).
- CVE-2026-40311: heap use-after-free when reading and printing values from an invalid XMP profile can lead to a denial
  of service (bsc#1262146).
- CVE-2026-40312: off-by-one error in the MSL decoder can lead to a crash (bsc#1262149).

References

Packages

  • ImageMagick-7.1.2.0-160000.8.1