Detections
Analytics

openSUSE 16 Security Update : ImageMagick (openSUSE-SU-2026:20606-1)

high Nessus Plugin ID 310088

Synopsis

The remote openSUSE host is missing one or more security updates.

Description

The remote openSUSE 16 host has packages installed that are affected by multiple vulnerabilities as referenced in the openSUSE-SU-2026:20606-1 advisory.

 - CVE-2026-32259: stack out-of-bounds write due to a memory allocation failure in the sixel encoder can lead to a crash (bsc#1259612).
 - CVE-2026-32636: out-of-bounds write of a single zero byte due to bug the `NewXMLTree` method can lead to denial of service (bsc#1259872).
 - CVE-2026-33535: out-of-bounds write of a zero byte in X11 `display` interaction path can lead to a crash (bsc#1260874).
 - CVE-2026-33536: stack out-of-bounds write due to incorrect return value on certain platforms can lead to a denial of service (bsc#1260879).
 - CVE-2026-33899: out-of-bounds write of single zero byte in XML parsing can lead to a denial of service (bsc#1262154).
 - CVE-2026-33900: heap out-of-bounds write due to integer truncation in viff encoder can lead to a crash (bsc#1262156).
 - CVE-2026-33901: heap buffer overflow in the MVG decoder can lead to memory corruption or a crash (bsc#1262155).
 - CVE-2026-33902: stack buffer overflow in the FX expression parser can lead to a process crash (bsc#1262153).
 - CVE-2026-33905: out-of-bounds read in `-sample` operation can lead to a denial of service (bsc#1262097).
 - CVE-2026-33908: recursive execution with no depth limit imposed when processing XML files can lead to resource exhaustion and a denial of service (bsc#1262152).
 - CVE-2026-34238: heap buffer overflow due to integer overflow in the despeckle operation can lead to a denial of service (bsc#1262147).
 - CVE-2026-40169: out-of-bounds heap write when processing a crafted image and writing a YAML or JSON output can lead to a crash (bsc#1262150).
 - CVE-2026-40183: heap out-of-bounds write in the JXL encoder can lead to a denial of service (bsc#1262145).
 - CVE-2026-40310: heap out-of-bounds write in the JP2 encoder can lead to a denial of service (bsc#1262148).
 - CVE-2026-40311: heap use-after-free when reading and printing values from an invalid XMP profile can lead to a denial of service (bsc#1262146).
 - CVE-2026-40312: off-by-one error in the MSL decoder can lead to a crash (bsc#1262149).

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected packages.

See Also

https://bugzilla.suse.com/1259612

https://bugzilla.suse.com/1259872

https://bugzilla.suse.com/1260874

https://bugzilla.suse.com/1260879

https://bugzilla.suse.com/1262097

https://bugzilla.suse.com/1262145

https://bugzilla.suse.com/1262146

https://bugzilla.suse.com/1262147

https://bugzilla.suse.com/1262148

https://bugzilla.suse.com/1262149

https://bugzilla.suse.com/1262150

https://bugzilla.suse.com/1262152

https://bugzilla.suse.com/1262153

https://bugzilla.suse.com/1262154

https://bugzilla.suse.com/1262155

https://bugzilla.suse.com/1262156

https://www.suse.com/security/cve/CVE-2026-32259

https://www.suse.com/security/cve/CVE-2026-32636

https://www.suse.com/security/cve/CVE-2026-33535

https://www.suse.com/security/cve/CVE-2026-33536

https://www.suse.com/security/cve/CVE-2026-33899

https://www.suse.com/security/cve/CVE-2026-33900

https://www.suse.com/security/cve/CVE-2026-33901

https://www.suse.com/security/cve/CVE-2026-33902

https://www.suse.com/security/cve/CVE-2026-33905

https://www.suse.com/security/cve/CVE-2026-33908

https://www.suse.com/security/cve/CVE-2026-34238

https://www.suse.com/security/cve/CVE-2026-40169

https://www.suse.com/security/cve/CVE-2026-40183

https://www.suse.com/security/cve/CVE-2026-40310

https://www.suse.com/security/cve/CVE-2026-40311

https://www.suse.com/security/cve/CVE-2026-40312

Plugin Details

Severity: High

ID: 310088

File Name: openSUSE-2026-20606-1.nasl

Version: 1.1

Type: Local

Agent: unix

Published: 4/24/2026

Updated: 4/24/2026

Supported Sensors: Nessus Agent, Continuous Assessment, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.0

CVSS v2

Risk Factor: Medium

Base Score: 6.6

Temporal Score: 4.9

Vector: CVSS2#AV:L/AC:L/Au:N/C:C/I:N/A:C

CVSS Score Source: CVE-2026-33905

CVSS v3

Risk Factor: High

Base Score: 7.1

Temporal Score: 6.2

Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/o:novell:opensuse:16.0, p-cpe:/a:novell:opensuse:imagemagick-devel, p-cpe:/a:novell:opensuse:imagemagick-extra, p-cpe:/a:novell:opensuse:imagemagick-config-7-upstream-websafe, p-cpe:/a:novell:opensuse:libmagickcore-7_q16hdri10, p-cpe:/a:novell:opensuse:perl-perlmagick, p-cpe:/a:novell:opensuse:imagemagick-config-7-suse, p-cpe:/a:novell:opensuse:imagemagick-config-7-upstream-open, p-cpe:/a:novell:opensuse:libmagick%2b%2b-devel, p-cpe:/a:novell:opensuse:libmagick%2b%2b-7_q16hdri5, p-cpe:/a:novell:opensuse:imagemagick-config-7-upstream-secure, p-cpe:/a:novell:opensuse:libmagickwand-7_q16hdri10, p-cpe:/a:novell:opensuse:imagemagick, p-cpe:/a:novell:opensuse:imagemagick-config-7-upstream-limited

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Ease: No known exploits are available

Patch Publication Date: 4/22/2026

Vulnerability Publication Date: 3/12/2026

Reference Information

CVE: CVE-2026-32259, CVE-2026-32636, CVE-2026-33535, CVE-2026-33536, CVE-2026-33899, CVE-2026-33900, CVE-2026-33901, CVE-2026-33902, CVE-2026-33905, CVE-2026-33908, CVE-2026-34238, CVE-2026-40169, CVE-2026-40183, CVE-2026-40310, CVE-2026-40311, CVE-2026-40312