|
|
Log in / Subscribe / Register

SUSE alert SUSE-SU-2026:1598-1 (ImageMagick)



From:
              SLE-SECURITY-UPDATES <null@suse.de>


To:
              sle-security-updates@lists.suse.com


Subject:
              SUSE-SU-2026:1598-1: important: Security update for ImageMagick


Date:
              Fri, 24 Apr 2026 16:31:36 -0000


Message-ID:
              <177704829653.3109.16239491017496899559@a0a563bcf2df>




# Security update for ImageMagick

Announcement ID: SUSE-SU-2026:1598-1  
Release Date: 2026-04-24T11:44:47Z  
Rating: important  
References:

  * bsc#1262097
  * bsc#1262145
  * bsc#1262146
  * bsc#1262147
  * bsc#1262148
  * bsc#1262149
  * bsc#1262150
  * bsc#1262152
  * bsc#1262153
  * bsc#1262154
  * bsc#1262155
  * bsc#1262156

  
Cross-References:

  * CVE-2026-33899
  * CVE-2026-33900
  * CVE-2026-33901
  * CVE-2026-33902
  * CVE-2026-33905
  * CVE-2026-33908
  * CVE-2026-34238
  * CVE-2026-40169
  * CVE-2026-40183
  * CVE-2026-40310
  * CVE-2026-40311
  * CVE-2026-40312

  
CVSS scores:

  * CVE-2026-33899 ( SUSE ):  6.9
    CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
  * CVE-2026-33899 ( SUSE ):  5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
  * CVE-2026-33899 ( NVD ):  5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
  * CVE-2026-33900 ( SUSE ):  6.0
    CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
  * CVE-2026-33900 ( SUSE ):  5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
  * CVE-2026-33900 ( NVD ):  7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  * CVE-2026-33900 ( NVD ):  5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
  * CVE-2026-33901 ( SUSE ):  8.7
    CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
  * CVE-2026-33901 ( SUSE ):  7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  * CVE-2026-33901 ( NVD ):  7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  * CVE-2026-33902 ( SUSE ):  6.7
    CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
  * CVE-2026-33902 ( SUSE ):  5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
  * CVE-2026-33902 ( NVD ):  5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
  * CVE-2026-33905 ( SUSE ):  5.1
    CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
  * CVE-2026-33905 ( SUSE ):  5.0 CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H
  * CVE-2026-33905 ( NVD ):  7.1 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H
  * CVE-2026-33905 ( NVD ):  5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
  * CVE-2026-33908 ( SUSE ):  8.7
    CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
  * CVE-2026-33908 ( SUSE ):  7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  * CVE-2026-33908 ( NVD ):  7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  * CVE-2026-34238 ( SUSE ):  5.1
    CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
  * CVE-2026-34238 ( SUSE ):  5.0 CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H
  * CVE-2026-34238 ( NVD ):  5.1 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
  * CVE-2026-34238 ( NVD ):  5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
  * CVE-2026-40169 ( SUSE ):  6.9
    CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
  * CVE-2026-40169 ( SUSE ):  6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  * CVE-2026-40169 ( NVD ):  6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  * CVE-2026-40169 ( NVD ):  5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
  * CVE-2026-40183 ( SUSE ):  5.7
    CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
  * CVE-2026-40183 ( SUSE ):  5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
  * CVE-2026-40183 ( NVD ):  5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
  * CVE-2026-40183 ( NVD ):  5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
  * CVE-2026-40310 ( SUSE ):  5.7
    CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
  * CVE-2026-40310 ( SUSE ):  5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
  * CVE-2026-40310 ( NVD ):  5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
  * CVE-2026-40310 ( NVD ):  5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
  * CVE-2026-40311 ( SUSE ):  5.6
    CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
  * CVE-2026-40311 ( SUSE ):  5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
  * CVE-2026-40311 ( NVD ):  5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
  * CVE-2026-40311 ( NVD ):  5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
  * CVE-2026-40312 ( SUSE ):  6.9
    CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
  * CVE-2026-40312 ( SUSE ):  6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  * CVE-2026-40312 ( NVD ):  6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  * CVE-2026-40312 ( NVD ):  5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

  
Affected Products:

  * Desktop Applications Module 15-SP7
  * Development Tools Module 15-SP7
  * SUSE Linux Enterprise Desktop 15 SP7
  * SUSE Linux Enterprise Real Time 15 SP7
  * SUSE Linux Enterprise Server 15 SP7
  * SUSE Linux Enterprise Server for SAP Applications 15 SP7

  
  
An update that solves 12 vulnerabilities can now be installed.

## Description:

This update for ImageMagick fixes the following issues:

  * CVE-2026-33899: Denial of Service via out-of-bounds write in XML parsing
    (bsc#1262154).
  * CVE-2026-33900: Denial of Service via integer truncation in viff encoder
    (bsc#1262156).
  * CVE-2026-33901: Denial of Service due to heap buffer overflow in MVG decoder
    (bsc#1262155).
  * CVE-2026-33902: Denial of Service via deeply nested expression in FX parser
    (bsc#1262153).
  * CVE-2026-33905: Denial of service via out-of-bounds read in -sample
    operation (bsc#1262097).
  * CVE-2026-33908: Denial of Service via deeply nested XML file processing
    (bsc#1262152).
  * CVE-2026-34238: Denial of Service via integer overflow in despeckle
    operation (bsc#1262147).
  * CVE-2026-40169: Denial of Service via crafted image leading to out-of-bounds
    write (bsc#1262150).
  * CVE-2026-40183: Denial of Service via heap write overflow in JXL encoder
    (bsc#1262145).
  * CVE-2026-40310: Denial of service via heap out-of-bounds write in JP2
    encoder (bsc#1262148).
  * CVE-2026-40311: Denial of Service via heap use-after-free in XMP profile
    processing (bsc#1262146).
  * CVE-2026-40312: Denial of Service via malicious MSL file processing
    (bsc#1262149).

## Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".  
Alternatively you can run the command listed for your product:

  * Desktop Applications Module 15-SP7  
    zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP7-2026-1598=1

  * Development Tools Module 15-SP7  
    zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP7-2026-1598=1

## Package List:

  * Desktop Applications Module 15-SP7 (aarch64 ppc64le s390x x86_64)
    * ImageMagick-config-7-upstream-secure-7.1.1.43-150700.3.47.1
    * libMagick++-7_Q16HDRI5-debuginfo-7.1.1.43-150700.3.47.1
    * libMagickWand-7_Q16HDRI10-debuginfo-7.1.1.43-150700.3.47.1
    * ImageMagick-debugsource-7.1.1.43-150700.3.47.1
    * libMagick++-devel-7.1.1.43-150700.3.47.1
    * ImageMagick-config-7-SUSE-7.1.1.43-150700.3.47.1
    * ImageMagick-config-7-upstream-websafe-7.1.1.43-150700.3.47.1
    * ImageMagick-7.1.1.43-150700.3.47.1
    * ImageMagick-config-7-upstream-limited-7.1.1.43-150700.3.47.1
    * libMagick++-7_Q16HDRI5-7.1.1.43-150700.3.47.1
    * libMagickCore-7_Q16HDRI10-debuginfo-7.1.1.43-150700.3.47.1
    * ImageMagick-devel-7.1.1.43-150700.3.47.1
    * libMagickCore-7_Q16HDRI10-7.1.1.43-150700.3.47.1
    * ImageMagick-config-7-upstream-open-7.1.1.43-150700.3.47.1
    * libMagickWand-7_Q16HDRI10-7.1.1.43-150700.3.47.1
    * ImageMagick-debuginfo-7.1.1.43-150700.3.47.1
  * Development Tools Module 15-SP7 (aarch64 ppc64le s390x x86_64)
    * perl-PerlMagick-7.1.1.43-150700.3.47.1
    * ImageMagick-debugsource-7.1.1.43-150700.3.47.1
    * ImageMagick-debuginfo-7.1.1.43-150700.3.47.1
    * perl-PerlMagick-debuginfo-7.1.1.43-150700.3.47.1

## References:

  * https://www.suse.com/security/cve/CVE-2026-33899.html
  * https://www.suse.com/security/cve/CVE-2026-33900.html
  * https://www.suse.com/security/cve/CVE-2026-33901.html
  * https://www.suse.com/security/cve/CVE-2026-33902.html
  * https://www.suse.com/security/cve/CVE-2026-33905.html
  * https://www.suse.com/security/cve/CVE-2026-33908.html
  * https://www.suse.com/security/cve/CVE-2026-34238.html
  * https://www.suse.com/security/cve/CVE-2026-40169.html
  * https://www.suse.com/security/cve/CVE-2026-40183.html
  * https://www.suse.com/security/cve/CVE-2026-40310.html
  * https://www.suse.com/security/cve/CVE-2026-40311.html
  * https://www.suse.com/security/cve/CVE-2026-40312.html
  * https://bugzilla.suse.com/show_bug.cgi?id=1262097
  * https://bugzilla.suse.com/show_bug.cgi?id=1262145
  * https://bugzilla.suse.com/show_bug.cgi?id=1262146
  * https://bugzilla.suse.com/show_bug.cgi?id=1262147
  * https://bugzilla.suse.com/show_bug.cgi?id=1262148
  * https://bugzilla.suse.com/show_bug.cgi?id=1262149
  * https://bugzilla.suse.com/show_bug.cgi?id=1262150
  * https://bugzilla.suse.com/show_bug.cgi?id=1262152
  * https://bugzilla.suse.com/show_bug.cgi?id=1262153
  * https://bugzilla.suse.com/show_bug.cgi?id=1262154
  * https://bugzilla.suse.com/show_bug.cgi?id=1262155
  * https://bugzilla.suse.com/show_bug.cgi?id=1262156





Attachment: None (type=text/html)

(HTML attachment elided)
to post comments


Copyright © 2026, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds