| Package | imagemagick |
|---|---|
| Version | 8:6.9.7.4+dfsg-11+deb9u25 (stretch), 8:6.9.10.23+dfsg-2.1+deb10u14 (buster) |
| Related CVEs | CVE-2026-23874 CVE-2026-23876 CVE-2026-23952 |
Multiple vulnerabilities were fixed in imagemagick an image manipulation software suite.
CVE-2026-23874
A stack overflow was found via infinite recursion in
MSL (Magick Scripting Language) `<write>` command when
writing to MSL format.
CVE-2026-23876
A heap buffer overflow vulnerability was found in the XBM
image decoder (ReadXBMImage) allows an attacker to write
controlled data past the allocated heap buffer when
processing a maliciously crafted image file.
Any operation that reads or identifies an image can
trigger the overflow, making it exploitable via common
image upload and processing pipelines.
CVE-2026-23952
NULL pointer dereference was found in MSL parser via <comment>
tag before image load
For Debian 10 buster, these problems have been fixed in version 8:6.9.10.23+dfsg-2.1+deb10u14.
For Debian 9 stretch, these problems have been fixed in version 8:6.9.7.4+dfsg-11+deb9u25.
We recommend that you upgrade your imagemagick packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.