Alpine: multiple imagemagick packages: security update to 7.1.2.15-r0

critical Tenable Self-Hosted Container Security Plugin ID 438171

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to
versions 7.1.2-15 and 6.9.13-40, a heap buffer overflow write vulnerability exists in ReadYUVImage()
(coders/yuv.c) when processing malicious YUV 4:2:2 (NoInterlace) images. The pixel-pair loop writes one
pixel beyond the allocated row buffer. Versions 7.1.2-15 and 6.9.13-40 contain a patch. (CVE-2026-25986)

- ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to
versions 7.1.2-15 and 6.9.13-40, a heap information disclosure vulnerability exists in ImageMagick's PSD
(Adobe Photoshop) format handler. When processing a maliciously crafted PSD file containing ZIP-compressed
layer data that decompresses to less than the expected size, uninitialized heap memory is leaked into the
output image. Versions 7.1.2-15 and 6.9.13-40 contain a patch. (CVE-2026-24481)

- ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to
versions 7.1.2-15 and 6.9.13-40, Magick fails to check for multi-layer nested mvg conversions to svg,
leading to DoS. Versions 7.1.2-15 and 6.9.13-40 contain a patch. (CVE-2026-24484)

- ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to
versions 7.1.2-15 and 6.9.13-40, when a PCD file does not contain a valid Sync marker, the DecodeImage()
function becomes trapped in an infinite loop while searching for the Sync marker, causing the program to
become unresponsive and continuously consume CPU resources, ultimately leading to system resource
exhaustion and denial of service. Versions 7.1.2-15 and 6.9.13-40 contain a patch. (CVE-2026-24485)

- ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to
versions 7.1.2-15 and 6.9.13-40, a heap buffer over-read vulnerability exists in multiple raw image format
handles. The vulnerability occurs when processing images with -extract dimensions larger than -size
dimensions, causing out-of-bounds memory reads from a heap-allocated buffer. Versions 7.1.2-15 and
6.9.13-40 contain a patch. (CVE-2026-25576)

See Also

https://security.alpinelinux.org/vuln/CVE-2026-24481

https://security.alpinelinux.org/vuln/CVE-2026-24484

https://security.alpinelinux.org/vuln/CVE-2026-24485

https://security.alpinelinux.org/vuln/CVE-2026-25576

https://security.alpinelinux.org/vuln/CVE-2026-25637

https://security.alpinelinux.org/vuln/CVE-2026-25638

https://security.alpinelinux.org/vuln/CVE-2026-25794

https://security.alpinelinux.org/vuln/CVE-2026-25795

https://security.alpinelinux.org/vuln/CVE-2026-25796

https://security.alpinelinux.org/vuln/CVE-2026-25797

https://security.alpinelinux.org/vuln/CVE-2026-25798

https://security.alpinelinux.org/vuln/CVE-2026-25799

https://security.alpinelinux.org/vuln/CVE-2026-25897

https://security.alpinelinux.org/vuln/CVE-2026-25898

https://security.alpinelinux.org/vuln/CVE-2026-25965

https://security.alpinelinux.org/vuln/CVE-2026-25966

https://security.alpinelinux.org/vuln/CVE-2026-25967

https://security.alpinelinux.org/vuln/CVE-2026-25968

https://security.alpinelinux.org/vuln/CVE-2026-25969

https://security.alpinelinux.org/vuln/CVE-2026-25970

https://security.alpinelinux.org/vuln/CVE-2026-25971

https://security.alpinelinux.org/vuln/CVE-2026-25982

https://security.alpinelinux.org/vuln/CVE-2026-25983

https://security.alpinelinux.org/vuln/CVE-2026-25985

https://security.alpinelinux.org/vuln/CVE-2026-25986

https://security.alpinelinux.org/vuln/CVE-2026-25987

https://security.alpinelinux.org/vuln/CVE-2026-25988

https://security.alpinelinux.org/vuln/CVE-2026-25989

https://security.alpinelinux.org/vuln/CVE-2026-26066

https://security.alpinelinux.org/vuln/CVE-2026-26283

https://security.alpinelinux.org/vuln/CVE-2026-26284

https://security.alpinelinux.org/vuln/CVE-2026-26983

https://security.alpinelinux.org/vuln/CVE-2026-27798

https://security.alpinelinux.org/vuln/CVE-2026-27799

Plugin Details

Severity: Critical

ID: 438171

Version: Revision 1.2

Type: Local

Published: 3/4/2026

Updated: 3/16/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 5

Percentile: 94.39

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2026-25986

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Vulnerability Publication Date: 2/24/2026

Reference Information

CVE: CVE-2026-24481, CVE-2026-24484, CVE-2026-24485, CVE-2026-25576, CVE-2026-25637, CVE-2026-25638, CVE-2026-25794, CVE-2026-25795, CVE-2026-25796, CVE-2026-25797, CVE-2026-25798, CVE-2026-25799, CVE-2026-25897, CVE-2026-25898, CVE-2026-25965, CVE-2026-25966, CVE-2026-25967, CVE-2026-25968, CVE-2026-25969, CVE-2026-25970, CVE-2026-25971, CVE-2026-25982, CVE-2026-25983, CVE-2026-25985, CVE-2026-25986, CVE-2026-25987, CVE-2026-25988, CVE-2026-25989, CVE-2026-26066, CVE-2026-26283, CVE-2026-26284, CVE-2026-26983, CVE-2026-27798, CVE-2026-27799

IAVB: 2026-B-0051