CVE-2026-56377

NameCVE-2026-56377
DescriptionImageMagick before 7.1.2-24 contains an incorrect policy check that allows attackers to create or truncate files disallowed by security policies. Remote attackers can bypass path policy restrictions in sandboxed conversion services to write arbitrary files outside intended boundaries.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
imagemagick (PTS)bullseye8:6.9.11.60+dfsg-1.3+deb11u4vulnerable
bullseye (security)8:6.9.11.60+dfsg-1.3+deb11u14vulnerable
bookworm8:6.9.11.60+dfsg-1.6+deb12u9vulnerable
bookworm (security)8:6.9.11.60+dfsg-1.6+deb12u11vulnerable
trixie8:7.1.1.43+dfsg1-1+deb13u8vulnerable
trixie (security)8:7.1.1.43+dfsg1-1+deb13u10vulnerable
forky, sid8:7.1.2.25+dfsg1-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
imagemagicksource(unstable)8:7.1.2.24+dfsg1-1

Notes

https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-gm48-c7f2-v67p
Fixed by: https://github.com/ImageMagick/ImageMagick/commit/3705205e1424d379c2fc46c026c8560ccea0509e (7.1.2-24)
Fixed by: https://github.com/ImageMagick/ImageMagick6/commit/a2aa44ce71f0950522a104bbd4daa7b8a0b6709c (6.9.13-49)

Search for package or bug name: Reporting problems