Bug 2494107 (CVE-2026-13606)

Summary: CVE-2026-13606 GraphicsMagick: GraphicsMagick: Memory corruption via crafted Photo CD (PCD) file
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in GraphicsMagick's Photo CD (PCD) decoder. A remote attacker could exploit this vulnerability by providing a specially crafted PCD file. This could lead to an out-of-bounds write, corrupting memory and potentially causing a denial of service or other unpredictable system behavior.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2494108, 2494109    
Bug Blocks:    

Description OSIDB Bzimport 2026-06-29 08:36:13 UTC
GraphicsMagick's PCD decoder allocated the per-channel Huffman decode buffers at an exact fit (columns*rows + 1 byte) and advanced the write pointer in the decode loop with an unbounded "q++" and no per-write bound check. A crafted PCD file can drive the pointer past the end of the allocation, producing an attacker-controlled out-of-bounds write (and a preceding out-of-bounds read at the same site). This is the un-ported write-side half of ImageMagick's hardening for CVE-2026-26284: GraphicsMagick had ported ImageMagick's out-of-bounds READ fix (changeset 44292e321682) but not the per-write bound and buffer over-allocation, leaving the write path unguarded. The upstream fix over-provisions the decode buffers and adds an overflow-detection check before each write.

Reachability:
The sink is reached when decoding a PCD page/subimage index >= 4 (e.g. "PCD:file[4]") or with a "-size >= 1536x1024" read hint; a bare default decode does not reach it. PCD is content-detected by its magic, so the extension is not a barrier.

Impact:
The write is value- and offset-controlled. We demonstrated corruption of an adjacent heap allocation's allocator metadata leading to free() of an attacker-influenced pointer (ASLR-independent in our lab). Remote code execution was not demonstrated and is not claimed.

Relationship to existing CVEs:
Not a duplicate of CVE-2026-26284 (that is the out-of-bounds READ, which GraphicsMagick already ported). No existing GraphicsMagick CVE or advisory covers this PCD write path.