## This update for ImageMagick fixes the following issues: * CVE-2026-28493: integer overflow in the SIXEL decoder leads to out-of-bounds write (bsc#1259446). * CVE-2026-28494: missing bounds checks in the morphology kernel parsing functions can lead to a stack buffer overflow (bsc#1259447). * CVE-2026-28686: undersized output buffer allocation in the PCL encoder can lead to a heap buffer overflow (bsc#1259448). * CVE-2026-28687: heap use-after-free vulnerability in the MSL decoder via a crafted MSL file (bsc#1259450). * CVE-2026-28688: heap use-after-free in the MSL encoder when a cloned image is destroyed twice (bsc#1259451). * CVE-2026-28689: `domain="path"` authorization is checked before final file open/use and allows for read/write bypass via symlink swaps (bsc#1259452).
* bsc#1259446
* bsc#1259447
* bsc#1259448
* bsc#1259450
* bsc#1259451
* bsc#1259452
* bsc#1259455
* bsc#1259456
* bsc#1259457
* bsc#1259463
* bsc#1259464
* bsc#1259466
* bsc#1259467
* bsc#1259468
* bsc#1259497
* bsc#1259528
* bsc#1259612
* bsc#1259872
* bsc#1260874
* bsc#1260879
Cross-
* CVE-2026-28493
* CVE-2026-28494
* CVE-2026-28686
* CVE-2026-28687
* CVE-2026-28688
* CVE-2026-28689
* CVE-2026-28690
* CVE-2026-28691
* CVE-2026-28692
* CVE-2026-28693
* CVE-2026-30883
* CVE-2026-30929
* CVE-2026-30935
* CVE-2026-30936
* CVE-2026-30937
* CVE-2026-31853
* CVE-2026-32259
* CVE-2026-32636
* CVE-2026-33535
* CVE-2026-33536
CVSS scores:
* CVE-2026-28493 ( SUSE ): 8.8
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N
Get the latest Linux and open source security news straight to your inbox.