## This update for ImageMagick fixes the following issues: * CVE-2026-24484: denial of service vulnerability via multi-layer nested MVG to SVG conversion (bsc#1258790). * CVE-2026-28494: missing bounds checks in the morphology kernel parsing functions can lead to a stack buffer overflow (bsc#1259447). * CVE-2026-28686: undersized output buffer allocation in the PCL encoder can lead to a heap buffer overflow (bsc#1259448). * CVE-2026-28687: heap use-after-free vulnerability in the MSL decoder via a crafted MSL file (bsc#1259450). * CVE-2026-28688: heap use-after-free in the MSL encoder when a cloned image is destroyed twice (bsc#1259451). * CVE-2026-28689: `domain="path"` authorization is checked before final file open/use and allows for read/write bypass via symlink swaps (bsc#1259452).
* bsc#1258790
* bsc#1259447
* bsc#1259448
* bsc#1259450
* bsc#1259451
* bsc#1259452
* bsc#1259455
* bsc#1259456
* bsc#1259457
* bsc#1259463
* bsc#1259466
* bsc#1259467
* bsc#1259528
* bsc#1260874
* bsc#1260879
Cross-
* CVE-2026-24484
* CVE-2026-28494
* CVE-2026-28686
* CVE-2026-28687
* CVE-2026-28688
* CVE-2026-28689
* CVE-2026-28690
* CVE-2026-28691
* CVE-2026-28692
* CVE-2026-28693
* CVE-2026-30883
* CVE-2026-30937
* CVE-2026-31853
* CVE-2026-33535
* CVE-2026-33536
CVSS scores:
* CVE-2026-24484 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
* CVE-2026-24484 ( NVD ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
* CVE-2026-24484 ( NVD ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
* CVE-2026-28494 ( SUSE ): 8.8
Get the latest Linux and open source security news straight to your inbox.