CVE-2026-23876

unknown

Published — · Modified —

💬 Discuss on Community ✚ Propose mitigation

CVSS v3

—

CVSS v4 NEW

—

not yet in upstream

VIR risk

—

Description

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-13 and 6.9.13-38, a heap buffer overflow vulnerability in the XBM image decoder (ReadXBMImage) allows an attacker to write controlled data past the allocated heap buffer when processing a maliciously crafted image file. Any operation that reads or identifies an image can trigger the overflow, making it exploitable via common image upload and processing pipelines. Versions 7.1.2-13 and 6.9.13-38 fix the issue.

Predictions

Exploit likelihood

20%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

community-verified Authored 2026-05-29

{

Immediate action:

1. Edit /etc/ImageMagick-/policy.xml (or /usr/local/etc/ImageMagick-/policy.xml):

<policymap>
  <policy domain="coder" rights="none" pattern="XBM" />
</policymap>

2. Restart services:

systemctl restart php-fpm nginx
# or your image processing workers

3. Upgrade:

# Debian/Ubuntu
apt-get update && apt-get install --only-upgrade imagemagick
# RHEL/CentOS
yum update imagemagick

Rollback: Remove the <policy> line and restart services. Test with a known-good XBM if your workflow requires it (rare).

Verification:

identify -list policy | grep XBM
# Should show: rights: None

}

OS impact

OS	Version	Status	Fixed in
debian	bookworm	fixed	`8:6.9.11.60+dfsg-1.6+deb12u6`
debian	bullseye	fixed	`8:6.9.11.60+dfsg-1.3+deb11u9`
debian	forky	fixed	`8:7.1.2.13+dfsg1-1`
debian	sid	fixed	`8:7.1.2.13+dfsg1-1`
debian	trixie	fixed	`8:7.1.1.43+dfsg1-1+deb13u5`
sles		affected

References

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.