Cyber Resilience

CVE-2026-26284

Medium

Published: 24 February 2026

Published
24 February 2026
Modified
24 February 2026
KEV Added
Patch
CVSS Score v3.1 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L
EPSS Score 0.0040 32.1th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-26284 is a medium-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Imagemagick Imagemagick. Its CVSS base score is 6.5 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 32.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-26284 is a vulnerability in ImageMagick, a free and open-source software suite for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, the software lacks proper boundary checking when processing Huffman-coded data in PCD (Photo CD) files. Specifically, a decoder function suffers from incorrect initialization, which can lead to an out-of-bounds read. This issue is classified under CWE-122 (Heap-based Buffer Over-read), CWE-787 (Out-of-bounds Write), and CWE-125 (Out-of-bounds Read), with a CVSS v3.1 base score of 6.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L).

The vulnerability can be exploited remotely by unauthenticated attackers with network access, requiring low complexity and no user interaction. By supplying a specially crafted PCD file to an ImageMagick instance, such as in a web application or image processing pipeline, an attacker can trigger the out-of-bounds read. This may result in limited disclosure of sensitive information from memory or a denial of service via application crash, though integrity is unaffected.

The official GitHub security advisory (GHSA-wrhr-rf8j-r842) confirms that ImageMagick versions 7.1.2-15 and 6.9.13-40 address the issue with a patch fixing the decoder's initialization and boundary checks. Security practitioners should upgrade to these versions or later and consider disabling PCD file processing if not required, via ImageMagick's policy configuration.

EU & UK References

Vulnerability details

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, ImageMagick lacks proper boundary checking when processing Huffman-coded data from PCD (Photo CD) files. The decoder contains an function that has…

more

an incorrect initialization that could cause an out of bounds read. Versions 7.1.2-15 and 6.9.13-40 contain a patch.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability allows remote unauthenticated attackers to supply a crafted PCD file to ImageMagick instances (e.g., in web apps or processing pipelines), directly enabling exploitation of public-facing applications for limited info disclosure or DoS.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-25987Same product: Imagemagick Imagemagick
CVE-2026-23876Same product: Imagemagick Imagemagick
CVE-2026-33901Same product: Imagemagick Imagemagick
CVE-2026-28693Same product: Imagemagick Imagemagick
CVE-2025-55298Same product: Imagemagick Imagemagick
CVE-2025-53101Same product: Imagemagick Imagemagick
CVE-2026-32636Same product: Imagemagick Imagemagick
CVE-2026-25898Same product: Imagemagick Imagemagick
CVE-2026-25986Same product: Imagemagick Imagemagick
CVE-2026-24481Same product: Imagemagick Imagemagick

Affected Assets

imagemagick
imagemagick
≤ 6.9.13-40 · 7.0.0-0 — 7.1.2-15

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely installation of the vendor patch that corrects the PCD decoder initialization and boundary checks in ImageMagick.

prevent

Allows disabling PCD format processing via ImageMagick policy when the feature is not required, eliminating the vulnerable code path.

prevent

Enforces approved ImageMagick configuration settings and version baselines that restrict or eliminate use of the unpatched PCD decoder.

References