Security update for ImageMagick

Announcement ID:	SUSE-SU-2026:1598-1
Release Date:	2026-04-24T11:44:47Z
Rating:	important
References:	bsc#1262097 bsc#1262145 bsc#1262146 bsc#1262147 bsc#1262148 bsc#1262149 bsc#1262150 bsc#1262152 bsc#1262153 bsc#1262154 bsc#1262155 bsc#1262156
Cross-References:	CVE-2026-33899 CVE-2026-33900 CVE-2026-33901 CVE-2026-33902 CVE-2026-33905 CVE-2026-33908 CVE-2026-34238 CVE-2026-40169 CVE-2026-40183 CVE-2026-40310 CVE-2026-40311 CVE-2026-40312
CVSS scores:	CVE-2026-33899 ( SUSE ): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N CVE-2026-33899 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2026-33899 ( NVD ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2026-33900 ( SUSE ): 6.0 CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVE-2026-33900 ( SUSE ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2026-33900 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2026-33900 ( NVD ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2026-33901 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVE-2026-33901 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2026-33901 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2026-33902 ( SUSE ): 6.7 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVE-2026-33902 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2026-33902 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2026-33905 ( SUSE ): 5.1 CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVE-2026-33905 ( SUSE ): 5.0 CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H CVE-2026-33905 ( NVD ): 7.1 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H CVE-2026-33905 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2026-33908 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVE-2026-33908 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2026-33908 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2026-34238 ( SUSE ): 5.1 CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVE-2026-34238 ( SUSE ): 5.0 CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H CVE-2026-34238 ( NVD ): 5.1 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2026-34238 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2026-40169 ( SUSE ): 6.9 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVE-2026-40169 ( SUSE ): 6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2026-40169 ( NVD ): 6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2026-40169 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2026-40183 ( SUSE ): 5.7 CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVE-2026-40183 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2026-40183 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2026-40183 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2026-40310 ( SUSE ): 5.7 CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVE-2026-40310 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2026-40310 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2026-40310 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2026-40311 ( SUSE ): 5.6 CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVE-2026-40311 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2026-40311 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2026-40311 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2026-40312 ( SUSE ): 6.9 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVE-2026-40312 ( SUSE ): 6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2026-40312 ( NVD ): 6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2026-40312 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Affected Products:	Desktop Applications Module 15-SP7 Development Tools Module 15-SP7 SUSE Linux Enterprise Desktop 15 SP7 SUSE Linux Enterprise Real Time 15 SP7 SUSE Linux Enterprise Server 15 SP7 SUSE Linux Enterprise Server for SAP Applications 15 SP7

An update that solves 12 vulnerabilities can now be installed.

Description:

This update for ImageMagick fixes the following issues:

• CVE-2026-33899: Denial of Service via out-of-bounds write in XML parsing (bsc#1262154).
• CVE-2026-33900: Denial of Service via integer truncation in viff encoder (bsc#1262156).
• CVE-2026-33901: Denial of Service due to heap buffer overflow in MVG decoder (bsc#1262155).
• CVE-2026-33902: Denial of Service via deeply nested expression in FX parser (bsc#1262153).
• CVE-2026-33905: Denial of service via out-of-bounds read in -sample operation (bsc#1262097).
• CVE-2026-33908: Denial of Service via deeply nested XML file processing (bsc#1262152).
• CVE-2026-34238: Denial of Service via integer overflow in despeckle operation (bsc#1262147).
• CVE-2026-40169: Denial of Service via crafted image leading to out-of-bounds write (bsc#1262150).
• CVE-2026-40183: Denial of Service via heap write overflow in JXL encoder (bsc#1262145).
• CVE-2026-40310: Denial of service via heap out-of-bounds write in JP2 encoder (bsc#1262148).
• CVE-2026-40311: Denial of Service via heap use-after-free in XMP profile processing (bsc#1262146).
• CVE-2026-40312: Denial of Service via malicious MSL file processing (bsc#1262149).

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• Desktop Applications Module 15-SP7
  zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP7-2026-1598=1
• Development Tools Module 15-SP7
  zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP7-2026-1598=1

Package List:

• Desktop Applications Module 15-SP7 (aarch64 ppc64le s390x x86_64)
  • ImageMagick-config-7-upstream-secure-7.1.1.43-150700.3.47.1
  • libMagick++-7_Q16HDRI5-debuginfo-7.1.1.43-150700.3.47.1
  • libMagickWand-7_Q16HDRI10-debuginfo-7.1.1.43-150700.3.47.1
  • ImageMagick-debugsource-7.1.1.43-150700.3.47.1
  • libMagick++-devel-7.1.1.43-150700.3.47.1
  • ImageMagick-config-7-SUSE-7.1.1.43-150700.3.47.1
  • ImageMagick-config-7-upstream-websafe-7.1.1.43-150700.3.47.1
  • ImageMagick-7.1.1.43-150700.3.47.1
  • ImageMagick-config-7-upstream-limited-7.1.1.43-150700.3.47.1
  • libMagick++-7_Q16HDRI5-7.1.1.43-150700.3.47.1
  • libMagickCore-7_Q16HDRI10-debuginfo-7.1.1.43-150700.3.47.1
  • ImageMagick-devel-7.1.1.43-150700.3.47.1
  • libMagickCore-7_Q16HDRI10-7.1.1.43-150700.3.47.1
  • ImageMagick-config-7-upstream-open-7.1.1.43-150700.3.47.1
  • libMagickWand-7_Q16HDRI10-7.1.1.43-150700.3.47.1
  • ImageMagick-debuginfo-7.1.1.43-150700.3.47.1
• Development Tools Module 15-SP7 (aarch64 ppc64le s390x x86_64)
  • perl-PerlMagick-7.1.1.43-150700.3.47.1
  • ImageMagick-debugsource-7.1.1.43-150700.3.47.1
  • ImageMagick-debuginfo-7.1.1.43-150700.3.47.1
  • perl-PerlMagick-debuginfo-7.1.1.43-150700.3.47.1

References:

• https://www.suse.com/security/cve/CVE-2026-33899.html
• https://www.suse.com/security/cve/CVE-2026-33900.html
• https://www.suse.com/security/cve/CVE-2026-33901.html
• https://www.suse.com/security/cve/CVE-2026-33902.html
• https://www.suse.com/security/cve/CVE-2026-33905.html
• https://www.suse.com/security/cve/CVE-2026-33908.html
• https://www.suse.com/security/cve/CVE-2026-34238.html
• https://www.suse.com/security/cve/CVE-2026-40169.html
• https://www.suse.com/security/cve/CVE-2026-40183.html
• https://www.suse.com/security/cve/CVE-2026-40310.html
• https://www.suse.com/security/cve/CVE-2026-40311.html
• https://www.suse.com/security/cve/CVE-2026-40312.html
• https://bugzilla.suse.com/show_bug.cgi?id=1262097
• https://bugzilla.suse.com/show_bug.cgi?id=1262145
• https://bugzilla.suse.com/show_bug.cgi?id=1262146
• https://bugzilla.suse.com/show_bug.cgi?id=1262147
• https://bugzilla.suse.com/show_bug.cgi?id=1262148
• https://bugzilla.suse.com/show_bug.cgi?id=1262149
• https://bugzilla.suse.com/show_bug.cgi?id=1262150
• https://bugzilla.suse.com/show_bug.cgi?id=1262152
• https://bugzilla.suse.com/show_bug.cgi?id=1262153
• https://bugzilla.suse.com/show_bug.cgi?id=1262154
• https://bugzilla.suse.com/show_bug.cgi?id=1262155
• https://bugzilla.suse.com/show_bug.cgi?id=1262156