ImageMagick: 14 Vulnerabilities Including Memory Leaks and DoS Flaws Disclosed Together
Key findings • 14 ImageMagick vulnerabilities disclosed together, primarily memory leaks and DoS flaws. • Affected versions include ImageMagick before 7.1.2-26 and 6.9.13-51. • Multiple m…

Key findings
- 14 ImageMagick vulnerabilities disclosed together, primarily memory leaks and DoS flaws.
- Affected versions include ImageMagick before 7.1.2-26 and 6.9.13-51.
- Multiple memory leaks identified across TIFF, JNG, ICON, MIFF encoders and YUV decoder.
- Includes use-after-free, heap buffer overwrite, and policy bypass vulnerabilities.
- CVE-2026-56375 affects various Magick.NET configurations due to an ASHLAR coder memory leak.
On July 16, 2026, a batch of 14 vulnerabilities affecting ImageMagick was disclosed, spanning multiple components and primarily leading to denial-of-service conditions through memory leaks and other flaws. These vulnerabilities affect ImageMagick versions prior to 7.1.2-26 and 6.9.13-51, with one vulnerability (CVE-2026-56375) in the ASHLAR coder affecting various Magick.NET configurations and disclosed on July 15, 2026. The disclosures highlight issues across various image processing operations, including TIFF encoding, color transformations, and the handling of specific image formats like JNG, ICON, and MIFF.
Several vulnerabilities stem from memory leaks within the TIFF encoder. CVE-2026-61872 and CVE-2026-61867 detail memory leaks that occur under different error conditions, such as invalid tile geometry or general memory allocation failures during TIFF processing. Similarly, CVE-2026-61863 describes a memory leak in the TIFF encoder when temporary file creation fails. Other memory leaks were found in the YUV decoder (CVE-2026-61868), JNG encoder (CVE-2026-61866), ICON decoder (CVE-2026-61871), MIFF encoder (CVE-2026-61869), and the hough lines operation (CVE-2026-61865), all of which can lead to resource exhaustion and denial of service.
Beyond memory leaks, ImageMagick is affected by a use-after-free vulnerability (CVE-2026-61860) in freetype initialization, which can also result in a denial of service. A heap-based buffer over-write vulnerability (CVE-2026-61464) exists when processing X11 imports with a crafted window title, potentially corrupting heap memory. Additionally, CVE-2026-61859 presents a policy bypass vulnerability in the -script operation, allowing unauthorized file access. CVE-2026-61862 involves an information disclosure vulnerability when displaying profile data with the identify command under specific debug conditions. Finally, CVE-2026-56375, disclosed a day earlier, points to a memory leak in the ASHLAR coder within various Magick.NET configurations.
The patched versions for most of these vulnerabilities are ImageMagick 7.1.2-26 and 6.9.13-51. Users are advised to update to these versions to mitigate the risks associated with these memory leaks, use-after-free, buffer overflow, policy bypass, and information disclosure vulnerabilities. The broad range of affected components and the consistent theme of memory exhaustion indicate a need for thorough security reviews of image processing libraries.
This batch of vulnerabilities underscores the importance of diligent memory management and robust error handling in complex software like ImageMagick. The consistent disclosure of memory leaks across various codecs and operations suggests potential systemic issues that require ongoing attention from developers and users alike. Staying updated with the latest patches is crucial for maintaining the security and stability of systems relying on ImageMagick for image manipulation.