CVE-2026-24481 Overview
A heap information disclosure vulnerability exists in ImageMagick's PSD (Adobe Photoshop) format handler. ImageMagick is widely used free and open-source software for editing and manipulating digital images. When processing a maliciously crafted PSD file containing ZIP-compressed layer data that decompresses to less than the expected size, uninitialized heap memory is leaked into the output image. This vulnerability allows attackers to potentially extract sensitive information from server memory through specially crafted image files.
Critical Impact
Attackers can exploit this vulnerability to leak uninitialized heap memory contents, potentially exposing sensitive data such as cryptographic keys, authentication tokens, or other confidential information processed by the application.
Affected Products
- ImageMagick versions prior to 7.1.2-15
- ImageMagick versions prior to 6.9.13-40
Discovery Timeline
- 2026-02-24 - CVE CVE-2026-24481 published to NVD
- 2026-02-24 - Last updated in NVD database
Technical Details for CVE-2026-24481
Vulnerability Analysis
This vulnerability is classified as an Out-of-Bounds Read (CWE-125) affecting ImageMagick's PSD format parser. The flaw occurs in the handling of ZIP-compressed layer data within Adobe Photoshop (PSD) files. When the decompressed data size is smaller than what the parser expects based on the file metadata, the application continues reading beyond the valid data boundary, accessing uninitialized heap memory.
The leaked heap memory contents are then incorporated into the output image, enabling an attacker to extract potentially sensitive information. This type of vulnerability is particularly dangerous in server-side image processing scenarios where ImageMagick processes user-uploaded files, as it could allow extraction of data from previous memory allocations.
Root Cause
The root cause is improper bounds checking when processing ZIP-compressed layer data in PSD files. The PSD handler trusts the declared size metadata within the file format and allocates a buffer accordingly, but fails to validate that the actual decompressed data fills the entire expected buffer. When decompression yields fewer bytes than expected, the remaining buffer space contains uninitialized heap memory that subsequently gets included in image output operations.
Attack Vector
The attack can be executed remotely over the network without requiring authentication or user interaction. An attacker constructs a malicious PSD file with manipulated layer metadata that declares a larger data size than the actual compressed content can produce. When a vulnerable ImageMagick instance processes this file—such as through a web application's image upload or thumbnail generation feature—the heap memory leak is triggered, and the exposed data can be retrieved from the resulting processed image.
The exploitation process involves:
- Crafting a PSD file with ZIP-compressed layers where the declared uncompressed size exceeds the actual data
- Uploading or submitting the malicious PSD to a target system running vulnerable ImageMagick
- Retrieving the processed output image which now contains leaked heap memory data
- Extracting sensitive information from the embedded heap contents
Detection Methods for CVE-2026-24481
Indicators of Compromise
- Unusual PSD file uploads with mismatched layer metadata and actual content sizes
- Image processing errors or warnings related to PSD decompression operations
- Output images containing unexpected noise patterns or artifacts that could indicate memory leakage
Detection Strategies
- Monitor file processing logs for PSD files with ZIP-compressed layers reporting size mismatches
- Implement file integrity validation that compares declared sizes against actual decompressed content
- Deploy endpoint detection rules to identify malformed PSD files during upload operations
Monitoring Recommendations
- Enable verbose logging for ImageMagick processing operations to capture decompression anomalies
- Implement network monitoring for unusual patterns of PSD file uploads followed by image retrieval requests
- Set up alerts for repeated image processing failures or corruption warnings involving PSD format
How to Mitigate CVE-2026-24481
Immediate Actions Required
- Upgrade ImageMagick to version 7.1.2-15 or later (for the 7.x branch)
- Upgrade ImageMagick to version 6.9.13-40 or later (for the 6.x branch)
- Review and restrict which image formats are allowed for processing if PSD support is not required
- Audit systems for any signs of exploitation or unusual image processing behavior
Patch Information
ImageMagick has released patched versions that address this heap information disclosure vulnerability. The fix is included in versions 7.1.2-15 and 6.9.13-40. Organizations should update to these versions or later immediately. For detailed information about the security fix, refer to the GitHub Security Advisory.
Workarounds
- Disable PSD format processing by configuring ImageMagick's policy.xml to block PSD file handling
- Implement strict input validation that rejects PSD files before they reach ImageMagick
- Use application-level sandboxing to isolate ImageMagick processing and limit potential data exposure
# Configuration example - Disable PSD format in ImageMagick policy.xml
# Add to /etc/ImageMagick-7/policy.xml or /etc/ImageMagick-6/policy.xml
<policy domain="coder" rights="none" pattern="PSD" />
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
