Security update for ImageMagick SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2026:0384-1 Final 1 1 2026-02-04T12:46:45Z current 2026-02-04T12:46:45Z 2026-02-04T12:46:45Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for ImageMagick This update for ImageMagick fixes the following issues: - CVE-2026-23874: manipulation of digital images can lead to stack overflow (bsc#1256976). - CVE-2026-23876: maliciously crafted image can lead to heap buffer overflow (bsc#1256962). - CVE-2026-23952: processing comment tag can cause null pointer dereference (bsc#1257076). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2026-384,SUSE-SLE-SERVER-12-SP5-LTSS-2026-384,SUSE-SLE-SERVER-12-SP5-LTSS-EXTENDED-SECURITY-2026-384 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2026/suse-su-20260384-1/ Link for SUSE-SU-2026:0384-1 https://lists.suse.com/pipermail/sle-security-updates/2026-February/024057.html E-Mail link for SUSE-SU-2026:0384-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1256962 SUSE Bug 1256962 https://bugzilla.suse.com/1256976 SUSE Bug 1256976 https://bugzilla.suse.com/1257076 SUSE Bug 1257076 https://www.suse.com/security/cve/CVE-2026-23874/ SUSE CVE CVE-2026-23874 page https://www.suse.com/security/cve/CVE-2026-23876/ SUSE CVE CVE-2026-23876 page https://www.suse.com/security/cve/CVE-2026-23952/ SUSE CVE CVE-2026-23952 page SUSE Linux Enterprise Server 12 SP5-LTSS SUSE Linux Enterprise Server LTSS Extended Security 12 SP5 ImageMagick-6.8.8.1-71.227.1 ImageMagick-config-6-SUSE-6.8.8.1-71.227.1 ImageMagick-config-6-upstream-6.8.8.1-71.227.1 ImageMagick-devel-6.8.8.1-71.227.1 ImageMagick-devel-32bit-6.8.8.1-71.227.1 ImageMagick-devel-64bit-6.8.8.1-71.227.1 ImageMagick-doc-6.8.8.1-71.227.1 ImageMagick-extra-6.8.8.1-71.227.1 libMagick++-6_Q16-3-6.8.8.1-71.227.1 libMagick++-6_Q16-3-32bit-6.8.8.1-71.227.1 libMagick++-6_Q16-3-64bit-6.8.8.1-71.227.1 libMagick++-devel-6.8.8.1-71.227.1 libMagick++-devel-32bit-6.8.8.1-71.227.1 libMagick++-devel-64bit-6.8.8.1-71.227.1 libMagickCore-6_Q16-1-6.8.8.1-71.227.1 libMagickCore-6_Q16-1-32bit-6.8.8.1-71.227.1 libMagickCore-6_Q16-1-64bit-6.8.8.1-71.227.1 libMagickWand-6_Q16-1-6.8.8.1-71.227.1 libMagickWand-6_Q16-1-32bit-6.8.8.1-71.227.1 libMagickWand-6_Q16-1-64bit-6.8.8.1-71.227.1 perl-PerlMagick-6.8.8.1-71.227.1 ImageMagick-config-6-SUSE-6.8.8.1-71.227.1 as a component of SUSE Linux Enterprise Server 12 SP5-LTSS ImageMagick-config-6-upstream-6.8.8.1-71.227.1 as a component of SUSE Linux Enterprise Server 12 SP5-LTSS ImageMagick-devel-6.8.8.1-71.227.1 as a component of SUSE Linux Enterprise Server 12 SP5-LTSS libMagick++-devel-6.8.8.1-71.227.1 as a component of SUSE Linux Enterprise Server 12 SP5-LTSS libMagickCore-6_Q16-1-6.8.8.1-71.227.1 as a component of SUSE Linux Enterprise Server 12 SP5-LTSS libMagickWand-6_Q16-1-6.8.8.1-71.227.1 as a component of SUSE Linux Enterprise Server 12 SP5-LTSS ImageMagick-config-6-SUSE-6.8.8.1-71.227.1 as a component of SUSE Linux Enterprise Server LTSS Extended Security 12 SP5 ImageMagick-config-6-upstream-6.8.8.1-71.227.1 as a component of SUSE Linux Enterprise Server LTSS Extended Security 12 SP5 ImageMagick-devel-6.8.8.1-71.227.1 as a component of SUSE Linux Enterprise Server LTSS Extended Security 12 SP5 libMagick++-devel-6.8.8.1-71.227.1 as a component of SUSE Linux Enterprise Server LTSS Extended Security 12 SP5 libMagickCore-6_Q16-1-6.8.8.1-71.227.1 as a component of SUSE Linux Enterprise Server LTSS Extended Security 12 SP5 libMagickWand-6_Q16-1-6.8.8.1-71.227.1 as a component of SUSE Linux Enterprise Server LTSS Extended Security 12 SP5 ImageMagick is free and open-source software used for editing and manipulating digital images. Versions prior to 7.1.2-13 have a stack overflow via infinite recursion in MSL (Magick Scripting Language) `<write>` command when writing to MSL format. Version 7.1.2-13 fixes the issue. CVE-2026-23874 SUSE Linux Enterprise Server 12 SP5-LTSS:ImageMagick-config-6-SUSE-6.8.8.1-71.227.1 SUSE Linux Enterprise Server 12 SP5-LTSS:ImageMagick-config-6-upstream-6.8.8.1-71.227.1 SUSE Linux Enterprise Server 12 SP5-LTSS:ImageMagick-devel-6.8.8.1-71.227.1 SUSE Linux Enterprise Server 12 SP5-LTSS:libMagick++-devel-6.8.8.1-71.227.1 SUSE Linux Enterprise Server 12 SP5-LTSS:libMagickCore-6_Q16-1-6.8.8.1-71.227.1 SUSE Linux Enterprise Server 12 SP5-LTSS:libMagickWand-6_Q16-1-6.8.8.1-71.227.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:ImageMagick-config-6-SUSE-6.8.8.1-71.227.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:ImageMagick-config-6-upstream-6.8.8.1-71.227.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:ImageMagick-devel-6.8.8.1-71.227.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:libMagick++-devel-6.8.8.1-71.227.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:libMagickCore-6_Q16-1-6.8.8.1-71.227.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:libMagickWand-6_Q16-1-6.8.8.1-71.227.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260384-1/ https://www.suse.com/security/cve/CVE-2026-23874.html CVE-2026-23874 https://bugzilla.suse.com/1256976 SUSE Bug 1256976 ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-13 and 6.9.13-38, a heap buffer overflow vulnerability in the XBM image decoder (ReadXBMImage) allows an attacker to write controlled data past the allocated heap buffer when processing a maliciously crafted image file. Any operation that reads or identifies an image can trigger the overflow, making it exploitable via common image upload and processing pipelines. Versions 7.1.2-13 and 6.9.13-38 fix the issue. CVE-2026-23876 SUSE Linux Enterprise Server 12 SP5-LTSS:ImageMagick-config-6-SUSE-6.8.8.1-71.227.1 SUSE Linux Enterprise Server 12 SP5-LTSS:ImageMagick-config-6-upstream-6.8.8.1-71.227.1 SUSE Linux Enterprise Server 12 SP5-LTSS:ImageMagick-devel-6.8.8.1-71.227.1 SUSE Linux Enterprise Server 12 SP5-LTSS:libMagick++-devel-6.8.8.1-71.227.1 SUSE Linux Enterprise Server 12 SP5-LTSS:libMagickCore-6_Q16-1-6.8.8.1-71.227.1 SUSE Linux Enterprise Server 12 SP5-LTSS:libMagickWand-6_Q16-1-6.8.8.1-71.227.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:ImageMagick-config-6-SUSE-6.8.8.1-71.227.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:ImageMagick-config-6-upstream-6.8.8.1-71.227.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:ImageMagick-devel-6.8.8.1-71.227.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:libMagick++-devel-6.8.8.1-71.227.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:libMagickCore-6_Q16-1-6.8.8.1-71.227.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:libMagickWand-6_Q16-1-6.8.8.1-71.227.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260384-1/ https://www.suse.com/security/cve/CVE-2026-23876.html CVE-2026-23876 https://bugzilla.suse.com/1256962 SUSE Bug 1256962 ImageMagick is free and open-source software used for editing and manipulating digital images. Versions 14.10.1 and below have a NULL pointer dereference vulnerability in the MSL (Magick Scripting Language) parser when processing <comment> tags before images are loaded. This can lead to DoS attack due to assertion failure (debug builds) or NULL pointer dereference (release builds). This issue is fixed in version 14.10.2. CVE-2026-23952 SUSE Linux Enterprise Server 12 SP5-LTSS:ImageMagick-config-6-SUSE-6.8.8.1-71.227.1 SUSE Linux Enterprise Server 12 SP5-LTSS:ImageMagick-config-6-upstream-6.8.8.1-71.227.1 SUSE Linux Enterprise Server 12 SP5-LTSS:ImageMagick-devel-6.8.8.1-71.227.1 SUSE Linux Enterprise Server 12 SP5-LTSS:libMagick++-devel-6.8.8.1-71.227.1 SUSE Linux Enterprise Server 12 SP5-LTSS:libMagickCore-6_Q16-1-6.8.8.1-71.227.1 SUSE Linux Enterprise Server 12 SP5-LTSS:libMagickWand-6_Q16-1-6.8.8.1-71.227.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:ImageMagick-config-6-SUSE-6.8.8.1-71.227.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:ImageMagick-config-6-upstream-6.8.8.1-71.227.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:ImageMagick-devel-6.8.8.1-71.227.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:libMagick++-devel-6.8.8.1-71.227.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:libMagickCore-6_Q16-1-6.8.8.1-71.227.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:libMagickWand-6_Q16-1-6.8.8.1-71.227.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260384-1/ https://www.suse.com/security/cve/CVE-2026-23952.html CVE-2026-23952 https://bugzilla.suse.com/1257076 SUSE Bug 1257076