CVE-2026-24481

CVE-2026-24481 is a heap information disclosure vulnerability (CWE-125) in ImageMagick, a free and open-source software suite for editing and manipulating digital images. The issue resides in the PSD (Adobe Photoshop) format handler, affecting versions prior to 7.1.2-15 for the 7.x branch and 6.9.13-40 for the 6.x branch. It occurs when processing a maliciously crafted PSD file containing ZIP-compressed layer data that decompresses to less than the expected size, resulting in uninitialized heap memory being leaked into the output image. The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

Attackers can exploit this vulnerability remotely without privileges or user interaction by supplying a specially crafted PSD file to an ImageMagick instance, such as in a web application or image processing pipeline that handles untrusted uploads. Successful exploitation leaks sensitive uninitialized heap memory contents into the resulting output image, potentially exposing confidential data like cryptographic keys, passwords, or other process memory artifacts visible to an attacker upon inspecting the output.

The official ImageMagick GitHub security advisory (GHSA-96pc-27rx-pr36) confirms the patch in versions 7.1.2-15 and 6.9.13-40, recommending immediate upgrades for affected systems. Practitioners should verify deployments, scan for vulnerable versions, and implement input validation to reject or sanitize PSD files from untrusted sources until patching is complete.