ImageMagick: Fourteen Vulnerabilities Disclosed in Batch, Affecting Multiple Versions
Key findings • Fourteen ImageMagick vulnerabilities disclosed July 1-2, 2026, including memory corruption and policy bypasses. • Heap overflows, use-after-free, DoS, and info disclosure are a…

Key findings
- Fourteen ImageMagick vulnerabilities disclosed July 1-2, 2026, including memory corruption and policy bypasses.
- Heap overflows, use-after-free, DoS, and info disclosure are among the disclosed issues.
- Patches available in versions 6.9.13-51 and 7.1.2-26 for several critical CVEs.
- Other fixes are present in versions 7.1.2-13 through 7.1.2-24.
- Vypr Intelligence reported on six of these CVEs on July 1, 2026.
On July 1 and 2, 2026, a batch of fourteen vulnerabilities was disclosed for ImageMagick, a widely-used open-source software suite for editing and manipulating digital images. The vulnerabilities, disclosed across a two-day window, span a range of issues including heap buffer overflows, use-after-free errors, infinite loops, stack overflows, memory leaks, information disclosures, and denial-of-service conditions. These flaws impact various versions of ImageMagick, with patches available in specific updated versions.
Several vulnerabilities stem from improper handling of image data and arguments within different decoders and encoders. CVE-2026-55597, for instance, involves a heap buffer overflow in the JP2 encoder due to incorrect argument handling, fixed in version 7.1.2-26. Similarly, CVE-2026-55510 describes a use-after-free vulnerability in the 8BIM profile, patched in versions 6.9.13-51 and 7.1.2-26. The MVG decoder is implicated in both CVE-2026-55594, a stack overflow from a missing depth check, and CVE-2026-55577, a heap buffer overflow leading to an out-of-bounds write. Both of these issues are addressed in versions 6.9.13-51 and 7.1.2-26.
Denial-of-service vulnerabilities are also present in this batch. CVE-2026-55595 details an infinite loop when invalid arguments are provided to the connected-components option, fixed in versions 6.9.13-51 and 7.1.2-26. CVE-2026-56363, disclosed on July 1, involves a division by zero vulnerability in binomial kernel processing due to integer overflow, leading to application crashes. CVE-2026-56365 and CVE-2026-56364 are memory leak vulnerabilities in the PNG encoder and the LoadOpenCLDeviceBenchmark function, respectively, which can exhaust memory resources.
Security policy bypasses and information disclosures are also highlighted. CVE-2026-55628 points to unauthorized file access due to missing policy checks in the concatenate operation. CVE-2026-56377, patched in version 7.1.2-24, allows attackers to create or truncate files disallowed by security policies by bypassing path restrictions. Furthermore, CVE-2026-56369 involves an information disclosure vulnerability in the PasskeyEncipherImage method due to AES-CTR nonce reuse, allowing attackers to recover plaintext information from encrypted images. CVE-2026-53467 is an information disclosure vulnerability in the MNG decoder.
The disclosed vulnerabilities affect various versions of ImageMagick. Specifically, fixes for CVE-2026-55597, CVE-2026-55595, CVE-2026-55510, CVE-2026-55594, and CVE-2026-55577 are available in versions 6.9.13-51 and 7.1.2-26. CVE-2026-56361 and CVE-2026-56365 were fixed in version 7.1.2-19. CVE-2026-56369 and CVE-2026-56363 were addressed in version 7.1.2-22. CVE-2026-56377 was patched in version 7.1.2-24, and CVE-2026-56364 in version 7.1.2-13. Users are advised to update to the patched versions to mitigate these security risks.
This batch of vulnerabilities underscores the importance of timely patching and secure configuration for widely-used image processing libraries like ImageMagick. The variety of issues, from memory corruption to policy bypasses, highlights the complex attack surface these tools present. Users should prioritize updating their ImageMagick installations to the latest patched versions to protect against potential exploitation.
The related news coverage from Vypr Intelligence on July 1, 2026, specifically highlighted six of these vulnerabilities, including arbitrary file write and information disclosure flaws, noting that patches were available in versions ranging from 7.1.2-13 to 7.1.2-24. This coverage confirms the disclosure of CVE-2026-56361, CVE-2026-56363, CVE-2026-56364, CVE-2026-56365, CVE-2026-56369, and CVE-2026-56377.
The vulnerabilities disclosed include heap buffer overflows (CVE-2026-55597, CVE-2026-55577), use-after-free (CVE-2026-55510), infinite loops (CVE-2026-55595), stack overflows (CVE-2026-55594), memory leaks (CVE-2026-56365, CVE-2026-56364), denial-of-service (CVE-2026-56363, CVE-2026-53466), information disclosure (CVE-2026-53467, CVE-2026-56369), and unauthorized file access/creation (CVE-2026-55628, CVE-2026-56377).
The batch of vulnerabilities disclosed for ImageMagick on July 1-2, 2026, includes multiple memory corruption flaws and security policy bypasses. Patches are available across several versions, with specific fixes for CVE-2026-55597, CVE-2026-55595, CVE-2026-55510, CVE-2026-55594, and CVE-2026-55577 in versions 6.9.13-51 and 7.1.2-26.
The vulnerabilities disclosed on July 1-2, 2026, affect ImageMagick, a critical image processing tool. The batch includes memory corruption, denial-of-service, information disclosure, and file access vulnerabilities. Patches are available in versions 6.9.13-51 and 7.1.2-26 for several key CVEs, with other fixes distributed across versions 7.1.2-13 through 7.1.2-24.
The disclosures on July 1-2, 2026, cover a range of vulnerabilities in ImageMagick, including heap overflows, use-after-free, infinite loops, stack overflows, memory leaks, DoS, information disclosure, and unauthorized file access. Patches are available in versions 6.9.13-51 and 7.1.2-26 for several issues, with other fixes in versions 7.1.2-13 to 7.1.2-24.
The batch of 14 vulnerabilities disclosed for ImageMagick on July 1-2, 2026, includes heap overflows, use-after-free, infinite loops, stack overflows, memory leaks, DoS, information disclosure, and file access vulnerabilities. Patches are available in versions 6.9.13-51 and 7.1.2-26 for several issues, with other fixes in versions 7.1.2-13 to 7.1.2-24. The Vypr Intelligence report highlighted six of these CVEs on July 1, 2026.