VIR Vulnerability Intelligence Relay

CVE-2026-32259

unknown
Published โ€” ยท Modified โ€”
๐Ÿ’ฌ Discuss on Community โœš Propose mitigation
CVSS v3
โ€”
CVSS v4 NEW
โ€”
not yet in upstream
VIR risk
โ€”

Description

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to 7.1.2-16 and 6.9.13-41, when a memory allocation fails in the sixel encoder it would be possible to write past the end of a buffer on the stack. This vulnerability is fixed in 7.1.2-16 and 6.9.13-41.

Predictions

Exploit likelihood
20%
Patch ETA
โ€”

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

community-verified Authored 2026-05-29
{

Edit /etc/ImageMagick-7/policy.xml (or -6 for older branches) and add a denial rule for the SIXEL coder:

<policymap>
  <policy domain="coder" rights="none" pattern="SIXEL" />
</policymap>

Restart any application servers or workers using ImageMagick (e.g. systemctl restart apache2 or relevant container pods). Verify with:

convert -list format | grep -i sixel
# should show "SIXEL" with no read/write permissions

Rollback: Remove the policy line and restart services. SIXEL is a legacy DEC terminal format; disabling it has minimal impact on modern workflows.

Upgrade to 7.1.2-16+ or 6.9.13-41+ as soon as vendor packages are available.

}

OS impact
OSVersionStatusFixed in
debian debianbookwormfixed8:6.9.11.60+dfsg-1.6+deb12u8
debian debianbullseyefixed8:6.9.11.60+dfsg-1.3+deb11u11
debian debianforkyfixed8:7.1.2.16+dfsg1-1
debian debiansidfixed8:7.1.2.16+dfsg1-1
debian debiantrixiefixed8:7.1.1.43+dfsg1-1+deb13u7
suse slesaffected

References

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.