Bug 2494107 (CVE-2026-13606) - CVE-2026-13606 GraphicsMagick: GraphicsMagick: Memory corruption via crafted Photo CD (PCD) file
Summary: CVE-2026-13606 GraphicsMagick: GraphicsMagick: Memory corruption via crafted ...
Keywords:
Status: NEW
Alias: CVE-2026-13606
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2494108 2494109
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-06-29 08:36 UTC by OSIDB Bzimport
Modified: 2026-06-29 08:39 UTC (History)
0 users

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description OSIDB Bzimport 2026-06-29 08:36:13 UTC
GraphicsMagick's PCD decoder allocated the per-channel Huffman decode buffers at an exact fit (columns*rows + 1 byte) and advanced the write pointer in the decode loop with an unbounded "q++" and no per-write bound check. A crafted PCD file can drive the pointer past the end of the allocation, producing an attacker-controlled out-of-bounds write (and a preceding out-of-bounds read at the same site). This is the un-ported write-side half of ImageMagick's hardening for CVE-2026-26284: GraphicsMagick had ported ImageMagick's out-of-bounds READ fix (changeset 44292e321682) but not the per-write bound and buffer over-allocation, leaving the write path unguarded. The upstream fix over-provisions the decode buffers and adds an overflow-detection check before each write.

Reachability:
The sink is reached when decoding a PCD page/subimage index >= 4 (e.g. "PCD:file[4]") or with a "-size >= 1536x1024" read hint; a bare default decode does not reach it. PCD is content-detected by its magic, so the extension is not a barrier.

Impact:
The write is value- and offset-controlled. We demonstrated corruption of an adjacent heap allocation's allocator metadata leading to free() of an attacker-influenced pointer (ASLR-independent in our lab). Remote code execution was not demonstrated and is not claimed.

Relationship to existing CVEs:
Not a duplicate of CVE-2026-26284 (that is the out-of-bounds READ, which GraphicsMagick already ported). No existing GraphicsMagick CVE or advisory covers this PCD write path.


Note You need to log in before you can comment on or make changes to this bug.