ImageMagick: Six Vulnerabilities Disclosed, Including File Write and Info Disclosure Flaws
Key findings • Six ImageMagick vulnerabilities disclosed on July 1, 2026, impacting various versions. • Vulnerabilities include memory leaks, denial-of-service, information disclosure, and ar…

Key findings
- Six ImageMagick vulnerabilities disclosed on July 1, 2026, impacting various versions.
- Vulnerabilities include memory leaks, denial-of-service, information disclosure, and arbitrary file write flaws.
- CVE-2026-56377 allows arbitrary file creation/truncation by bypassing policy checks.
- CVE-2026-56369 enables information disclosure via nonce reuse in encryption.
- Patches are available in ImageMagick versions ranging from 7.1.2-13 to 7.1.2-24.
On July 1, 2026, a batch of six vulnerabilities was disclosed for ImageMagick, a widely used image processing software suite. These vulnerabilities, all disclosed on the same day, span various issues including memory leaks, denial-of-service conditions, and potential for arbitrary file writes. The disclosures highlight several weaknesses in ImageMagick's handling of image formats and processing functions, affecting versions prior to specific releases in the 7.1.2 branch.
Several of the vulnerabilities stem from improper handling of image processing operations and malformed inputs. CVE-2026-56361, affecting versions before 7.1.2-19, is an off-by-one error in morphology validation that can lead to out-of-bounds heap buffer reads, potentially causing memory corruption. Similarly, CVE-2026-56365 (before 7.1.2-19) and CVE-2026-56364 involve memory leaks. The former occurs in the PNG encoder when writing MNG images, while the latter is triggered by malformed OpenCL device profile XML files, both leading to denial-of-service conditions by exhausting memory resources. CVE-2026-56363, also a denial-of-service vulnerability, arises from a division by zero error in binomial kernel processing when handling large kernel values, causing an integer overflow.
Beyond denial-of-service, other vulnerabilities pose more significant risks. CVE-2026-56369, present in versions before 7.1.2-22, is an information disclosure vulnerability within the PasskeyEncipherImage method. It suffers from AES-CTR nonce reuse, allowing attackers to potentially recover plaintext information from encrypted images. Perhaps the most critical is CVE-2026-56377, affecting versions before 7.1.2-24. This vulnerability involves an incorrect policy check, enabling remote attackers to bypass path restrictions and write arbitrary files outside of intended boundaries, effectively allowing for arbitrary file creation or truncation on the server.
The disclosed vulnerabilities affect various versions of ImageMagick, with patches available in specific updates. For instance, CVE-2026-56361 and CVE-2026-56365 are addressed in ImageMagick version 7.1.2-19. CVE-2026-56369 and CVE-2026-56363 are fixed in 7.1.2-22, while CVE-2026-56364 was patched in 7.1.2-13. The most severe, CVE-2026-56377, is resolved in version 7.1.2-24. Users are strongly advised to update to the patched versions to mitigate these risks.
This coordinated disclosure of six vulnerabilities underscores the importance of maintaining updated ImageMagick installations. The range of issues, from memory exhaustion to arbitrary file writes and information disclosure, presents a multifaceted threat. Users operating ImageMagick in sandboxed environments or handling untrusted image inputs are particularly at risk and should prioritize applying the relevant security updates. The specific version numbers for fixes indicate a need for careful review of current installations to ensure they are protected against this batch of flaws.