CVE-2026-61857
6.3
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
Summary
ImageMagick before 7.1.2-26 contains a heap use-after-free vulnerability caused by missing null check when parsing XMP profiles. Attackers can craft malicious image files with specially crafted XMP data to trigger the vulnerability and cause application crashes.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| ImageMagick | ImageMagick | 0 < 7.1.2-26 | affected |
| ImageMagick | ImageMagick | 7.1.2-26 | unaffected |
| ImageMagick | ImageMagick | 0 < 6.9.13-51 | affected |
| ImageMagick | ImageMagick | 6.9.13-51 | unaffected |
Weaknesses
- CWE-252: Unchecked Return Value
References
- https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-qh5g-q395-cx4j
- https://www.vulncheck.com/advisories/imagemagick-before-26-heap-use-after-free-via-xmp
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.