ImageMagick: Ten Vulnerabilities Disclosed Together, Affecting Memory Handling and File Writing
Key findings • Ten ImageMagick vulnerabilities disclosed between July 9-11, 2026, with moderate to low severity. • Multiple vulnerabilities related to memory management, including use-after-f…

Key findings
- Ten ImageMagick vulnerabilities disclosed between July 9-11, 2026, with moderate to low severity.
- Multiple vulnerabilities related to memory management, including use-after-free and heap buffer overflows.
- Denial of service risks are prevalent, stemming from various image format handling issues.
- CVE-2026-61858 allows unauthorized file writing via APNG encoder policy bypass.
- Vulnerabilities affect ImageMagick versions prior to 7.1.2-15, 7.1.2-18, and 7.1.2-19.
- Patches are available in ImageMagick versions 7.1.2-15, 7.1.2-18, and 7.1.2-19.
On July 11, 2026, a batch of ten vulnerabilities affecting ImageMagick was disclosed, spanning a two-day window from July 9th to July 11th. These vulnerabilities, primarily discovered by security researchers and some attributed to Debian's imagemagick packaging, range in severity from low to moderate, with potential impacts including denial of service, information disclosure, and code execution. The disclosures highlight ongoing security challenges with complex image processing libraries.
Several vulnerabilities stem from improper handling of image formats and memory management. CVE-2026-61861 and CVE-2026-56373 detail use-after-free vulnerabilities, with the former leading to potential code execution and the latter causing crashes or memory corruption. CVE-2026-56374 and CVE-2026-56362 describe heap buffer overflows, triggered by crafted image files due to missing boundary checks or incorrect memory allocation procedures, leading to denial of service or information disclosure.
Denial of service remains a significant concern across multiple CVEs. CVE-2026-61870 specifically mentions DoS via crafted VIFF images, while CVE-2026-61465 points to DoS from missing memory allocation checks. CVE-2026-56366 details a memory leak in the META reader, also leading to DoS through resource exhaustion. CVE-2026-56372 combines information disclosure and denial of service risks.
Beyond memory and format handling, CVE-2026-61857 highlights application crashes due to malicious XMP profiles. A particularly concerning vulnerability, CVE-2026-61858, involves a policy bypass that allows unauthorized file writing via the APNG encoder, posing a risk of data manipulation.
The disclosed vulnerabilities affect various versions of ImageMagick. Specifically, ImageMagick versions before 7.1.2-18, 7.1.2-15, and 7.1.2-19 are noted as vulnerable in the Debian packaging context. Users are advised to update to patched versions as soon as possible. The specific patches are available in ImageMagick versions 7.1.2-15, 7.1.2-18, and 7.1.2-19, depending on the vulnerability.
This batch of vulnerabilities underscores the importance of regularly updating ImageMagick, especially for systems that process untrusted image files. The diverse nature of the flaws, from memory corruption to policy bypass, necessitates a thorough review of security configurations and prompt patching to mitigate potential risks.
The vulnerabilities disclosed are: CVE-2026-61861, CVE-2026-61870, CVE-2026-61858, CVE-2026-61857, CVE-2026-61465, CVE-2026-56372, CVE-2026-56366, CVE-2026-56373, CVE-2026-56374, and CVE-2026-56362.
Key findings include:
- Ten ImageMagick vulnerabilities disclosed between July 9-11, 2026, with moderate to low severity.
- Multiple vulnerabilities related to memory management, including use-after-free and heap buffer overflows.
- Denial of service risks are prevalent, stemming from various image format handling issues.
- CVE-2026-61858 allows unauthorized file writing via APNG encoder policy bypass.
- Vulnerabilities affect ImageMagick versions prior to 7.1.2-15, 7.1.2-18, and 7.1.2-19.
- Patches are available in ImageMagick versions 7.1.2-15, 7.1.2-18, and 7.1.2-19.