new file mode 100644
@@ -0,0 +1,26 @@
+From 6cefe972445185cbb9c76651231d52512e0ec14b Mon Sep 17 00:00:00 2001
+From: Dirk Lemstra <dirk@lemstra.org>
+Date: Sat, 28 Feb 2026 11:01:24 +0100
+Subject: [PATCH] Corrected typecast to avoid an out of bounds write
+ (GHSA-r39q-jr8h-gcq2)
+
+Upstream-Status: Backport [https://github.com/ImageMagick/ImageMagick/commit/6cefe972445185cbb9c76651231d52512e0ec14b]
+CVE: CVE-2026-28493
+Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com>
+---
+ coders/sixel.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/coders/sixel.c b/coders/sixel.c
+index 5de968e3581..a9ccd8a677a 100644
+--- a/coders/sixel.c
++++ b/coders/sixel.c
+@@ -573,7 +573,7 @@ static MagickBooleanType sixel_decode(Im
+ return(MagickFalse);
+ }
+ for (x = 0; x < repeat_count; x++)
+- imbuf[(int) offset+x] = color_index;
++ imbuf[(size_t) offset+x]=(sixel_pixel_t) color_index;
+ }
+ if (max_x < (position_x+repeat_count-1))
+ max_x = position_x+repeat_count-1;
new file mode 100644
@@ -0,0 +1,34 @@
+From 47a803cc139a6eebf14fca5f1d5dd25c7782cc98 Mon Sep 17 00:00:00 2001
+From: Dirk Lemstra <dirk@lemstra.org>
+Date: Sat, 28 Feb 2026 11:03:09 +0100
+Subject: [PATCH] Added checks for overflows.
+
+Upstream-Status: Backport [https://github.com/ImageMagick/ImageMagick/commit/47a803cc139a6eebf14fca5f1d5dd25c7782cc98]
+CVE: CVE-2026-28493
+Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com>
+---
+ coders/sixel.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/coders/sixel.c b/coders/sixel.c
+index a9ccd8a677a..d3a77aff219 100644
+--- a/coders/sixel.c
++++ b/coders/sixel.c
+@@ -536,7 +536,7 @@ static MagickBooleanType sixel_decode(Im
+ {
+ offset=(size_t) (imsx*((ssize_t) position_y+i)+
+ (ssize_t) position_x);
+- if (offset >= (size_t) (imsx*imsy))
++ if ((offset < 0) || (offset >= (imsx*imsy)))
+ {
+ imbuf=(sixel_pixel_t *) RelinquishMagickMemory(imbuf);
+ return(MagickFalse);
+@@ -567,7 +567,7 @@ static MagickBooleanType sixel_decode(Im
+ for (y = position_y + i; y < position_y + i + n; ++y)
+ {
+ offset=(size_t) ((ssize_t) imsx*y+(ssize_t) position_x);
+- if ((offset+(size_t) repeat_count) >= (size_t) (imsx*imsy))
++ if ((offset < 0) || ((offset+repeat_count) >= (imsx*imsy)))
+ {
+ imbuf=(sixel_pixel_t *) RelinquishMagickMemory(imbuf);
+ return(MagickFalse);
new file mode 100644
@@ -0,0 +1,25 @@
+From cd7acd2c4bea5c953fae062d9ce43d11374dcb60 Mon Sep 17 00:00:00 2001
+From: Jake Lodwick <jakelodwick@users.noreply.github.com>
+Date: Sun, 1 Mar 2026 04:46:29 -0700
+Subject: [PATCH] Add overflow check to sixel write path (#8587)
+
+Upstream-Status: Backport [https://github.com/ImageMagick/ImageMagick/commit/cd7acd2c4bea5c953fae062d9ce43d11374dcb60]
+CVE: CVE-2026-28493
+Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com>
+---
+ coders/sixel.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/coders/sixel.c b/coders/sixel.c
+index d3a77aff219..b242959385d 100644
+--- a/coders/sixel.c
++++ b/coders/sixel.c
+@@ -815,6 +815,8 @@ static MagickBooleanType sixel_encode_impl(sixel_pixel_t *pixels,size_t width,
+ context->pos = 0;
+ if (ncolors < 1)
+ return(MagickFalse);
++ if (HeapOverflowSanityCheck(ncolors,width) != MagickFalse)
++ return(MagickFalse);
+ len=ncolors*width;
+ context->active_palette=(-1);
+ map=(sixel_pixel_t *) AcquireQuantumMemory(len,sizeof(sixel_pixel_t));
@@ -29,6 +29,9 @@ SRC_URI = "git://github.com/ImageMagick/ImageMagick.git;branch=main;protocol=htt
file://CVE-2025-68618.patch \
file://CVE-2025-68950.patch \
file://CVE-2025-69204.patch \
+ file://CVE-2026-28493-1.patch \
+ file://CVE-2026-28493-2.patch \
+ file://CVE-2026-28493-3.patch \
"
SRCREV = "82572afc879b439cbf8c9c6f3a9ac7626adf98fb"