CVE
CVE-2026-24481
ImageMagick has Possible Heap Information Disclosure in PSD ZIP Decompression
Description
A heap information disclosure vulnerability exists in ImageMagick's PSD (Adobe Photoshop) format handler. When processing a maliciously crafted PSD file containing ZIP-compressed layer data that decompresses to less than the expected size, uninitialized heap memory is leaked into the output image.
Expected Impact
Information disclosure leading to potential exposure of sensitive data from server memory.
Package Versions Affected
Package Version
patch Availability
No items found.
Automatically patch vulnerabilities without upgrading
Fix Without Upgrading
Detect compatible fix
Apply safe remediation
Fix with a single pull request
CVSS Version
Severity
Base Score
CVSS Version
Score Vector
C
H
U
7.5
-
3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
C
H
U
0
-
3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
C
H
U
7.5
-
3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Related Resources
No items found.
References
https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-96pc-27rx-pr36, https://nvd.nist.gov/vuln/detail/CVE-2026-24481, https://github.com/ImageMagick/ImageMagick/commit/51c9d33f4770cdcfa1a029199375d570af801c97, https://github.com/ImageMagick/ImageMagick, https://github.com/dlemstra/Magick.NET/releases/tag/14.10.3
Basic Information
Ecosystem
