GHSA-wgxp-q8xq-wpp9: ImageMagick: Malicious PCD files trigger 1‑byte heap Out-of-bounds Read and DoS

February 25, 2026

The PCD coder’s DecodeImage loop allows a crafted PCD file to trigger a 1‑byte heap out-of-bounds read when decoding an image (Denial of service) and potential disclosure of adjacent heap byte.

References

github.com/ImageMagick/ImageMagick
github.com/ImageMagick/ImageMagick/commit/436e5d2589e3c0adc10d9aa189e81d5d088d8207
github.com/ImageMagick/ImageMagick/security/advisories/GHSA-wgxp-q8xq-wpp9
github.com/advisories/GHSA-wgxp-q8xq-wpp9
github.com/dlemstra/Magick.NET/releases/tag/14.10.3

Code Behaviors & Features

Detect and mitigate GHSA-wgxp-q8xq-wpp9 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →