CVE-2026-53464

Vulnerability

In ImageMagick versions prior to 7.1.2-25, the wand option parser does not properly free allocated memory when processing invalid options, resulting in a small memory leak. The issue is present in the option parsing code path that handles malformed or unrecognized arguments passed to wand API functions. This can be triggered without special privileges or authentication.

Exploitation

An attacker with the ability to supply crafted options to an ImageMagick wand operation (e.g., via a script, command-line invocation, or an application that uses the library) can trigger the memory leak by providing invalid or unexpected option strings. No user interaction beyond the attacker's input is required. The leak occurs each time an invalid option is parsed, and accumulated over many operations can lead to a denial of service via memory exhaustion.

Impact

Repeated exploitation causes gradual memory consumption, eventually leading to resource exhaustion on the affected system. The impact is primarily on availability, as other processes may be starved of memory, and the ImageMagick process itself may terminate unexpectedly. Confidentiality and integrity are not directly affected.

Mitigation

ImageMagick version 7.1.2-25, released in mid-2026 as part of the security patch cycle, fixes the memory leak by ensuring proper memory deallocation in the wand option parser. Users should upgrade to this version or later. No workarounds are documented in the advisory [1]. Systems using older versions are vulnerable until upgraded.