CVE-2026-56379

NameCVE-2026-56379
DescriptionImageMagick before 7.1.2-15 and 6.9.13-40 contains a command injection vulnerability in the SVG decoder that allows attackers to inject arbitrary MVG drawing commands. Attackers can craft malicious SVG files with injected Magick Vector Graphics commands that execute during rendering.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
imagemagick (PTS)bullseye8:6.9.11.60+dfsg-1.3+deb11u4vulnerable
bullseye (security)8:6.9.11.60+dfsg-1.3+deb11u15fixed
bookworm8:6.9.11.60+dfsg-1.6+deb12u11fixed
bookworm (security)8:6.9.11.60+dfsg-1.6+deb12u12fixed
trixie8:7.1.1.43+dfsg1-1+deb13u10fixed
trixie (security)8:7.1.1.43+dfsg1-1+deb13u11fixed
forky, sid8:7.1.2.27+dfsg1-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
imagemagicksourcebullseye8:6.9.11.60+dfsg-1.3+deb11u11
imagemagicksourcebookworm8:6.9.11.60+dfsg-1.6+deb12u8
imagemagicksourcetrixie8:7.1.1.43+dfsg1-1+deb13u8
imagemagicksource(unstable)8:7.1.2.15+dfsg1-1

Notes

https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-xpg8-7m6m-jf56
Fixed by: https://github.com/ImageMagick/ImageMagick/commit/f63c78b3828933f1cc7cf499390248981af765aa (7.1.2-14)
Fixed by: https://github.com/ImageMagick/ImageMagick/commit/9db96365ecab5de69cdec81b9359672b3a827aaa (7.1.2-14)
Fixed by: https://github.com/ImageMagick/ImageMagick6/commit/4b7a043eb0fdf233ea9ecf237bcb009c16a354cd (6.9.13-39)
Fixed by: https://github.com/ImageMagick/ImageMagick6/commit/b4a7adf48e723ab73d2337ada34ee0fee7337250 (6.9.13-39)
bookworm/bullseye fixed by backporting svg/msl coder from 6.9.13-41
trixie fixed by backporting svg/msl to 7.1.2-16

Search for package or bug name: Reporting problems