Bug 2494108 - CVE-2026-13606 GraphicsMagick: GraphicsMagick: Memory corruption via crafted Photo CD (PCD) file [fedora-all]
Summary: CVE-2026-13606 GraphicsMagick: GraphicsMagick: Memory corruption via crafted ...
Keywords:
Status: NEW
Alias: None
Product: Fedora
Classification: Fedora
Component: GraphicsMagick
Version: rawhide
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: ---
Assignee: Andreas Thienemann
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: {"flaws": ["bef27955-50fa-4d96-8dff-b...
Depends On:
Blocks: CVE-2026-13606
TreeView+ depends on / blocked
 
Reported: 2026-06-29 08:39 UTC by Michal Findra
Modified: 2026-06-29 08:39 UTC (History)
4 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Michal Findra 2026-06-29 08:39:18 UTC
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.

GraphicsMagick's PCD decoder allocated the per-channel Huffman decode buffers at an exact fit (columns*rows + 1 byte) and advanced the write pointer in the decode loop with an unbounded "q++" and no per-write bound check. A crafted PCD file can drive the pointer past the end of the allocation, producing an attacker-controlled out-of-bounds write (and a preceding out-of-bounds read at the same site). This is the un-ported write-side half of ImageMagick's hardening for CVE-2026-26284: GraphicsMagick had ported ImageMagick's out-of-bounds READ fix (changeset 44292e321682) but not the per-write bound and buffer over-allocation, leaving the write path unguarded. The upstream fix over-provisions the decode buffers and adds an overflow-detection check before each write.

Reachability:
The sink is reached when decoding a PCD page/subimage index >= 4 (e.g. "PCD:file[4]") or with a "-size >= 1536x1024" read hint; a bare default decode does not reach it. PCD is content-detected by its magic, so the extension is not a barrier.

Impact:
The write is value- and offset-controlled. We demonstrated corruption of an adjacent heap allocation's allocator metadata leading to free() of an attacker-influenced pointer (ASLR-independent in our lab). Remote code execution was not demonstrated and is not claimed.

Relationship to existing CVEs:
Not a duplicate of CVE-2026-26284 (that is the out-of-bounds READ, which GraphicsMagick already ported). No existing GraphicsMagick CVE or advisory covers this PCD write path.


Note You need to log in before you can comment on or make changes to this bug.