VYPR
← All advisories
High severity7.5NVD Advisory· Published Jun 10, 2026

CVE-2026-53460

CVE-2026-53460

Description

ImageMagick versions prior to 6.9.13-50 and 7.1.2-25 are vulnerable to an out-of-Memory condition due to a missing check in AcquireAlignedMemory.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

ImageMagick versions prior to 6.9.13-50 and 7.1.2-25 are vulnerable to an out-of-Memory condition due to a missing check in AcquireAlignedMemory.

Vulnerability

ImageMagick, a widely used image manipulation software, is affected by an out-of-Memory condition in versions prior to 6.9.13-50 and 7.1.2-25. This vulnerability arises from a missing check for maximum memory requests within the AcquireAlignedMemory function, which can be triggered under specific conditions [1].

Exploitation

An attacker can exploit this vulnerability by providing a specially crafted image file to an ImageMagick process. The vulnerability is triggered when the AcquireAlignedMemory function attempts to allocate memory without properly checking the requested size against system limits, leading to an out-of-memory error [1].

Impact

Successful exploitation of this vulnerability results in an out-of-Memory condition, which can lead to a denial-of-service (DoS) state for the ImageMagick process or the application utilizing it. This prevents legitimate users from accessing or processing images, impacting the availability of the service [1].

Mitigation

This vulnerability has been patched in ImageMagick versions 6.9.13-50 and 7.1.2-25. Users are strongly advised to upgrade to these fixed versions or later to mitigate the risk of an out-of-Memory condition [1].

References
  1. Policy Bypass can trigger out-of-Memory condition

AI Insight generated on Jun 10, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • ImageMagick/Imagemagickinferred2 versions
    >=6.9.13,<6.9.13-50 || >=7.1.2,<7.1.2-25+ 1 more
    • (no CPE)range: >=6.9.13,<6.9.13-50 || >=7.1.2,<7.1.2-25
    • (no CPE)range: <6.9.13-50, <7.1.2-25

Patches

0

No patches discovered yet.

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

1

News mentions

1