Description
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-50 and 7.1.2-25, a missing check for maximum memory request in AcquireAlignedMemory could trigger an out-of-Memory condition. This issue has been patched in versions 6.9.13-50 and 7.1.2-25.
Published: 2026-06-10
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A missing check for the maximum memory request in ImageMagick's AcquireAlignedMemory function can lead to an out-of-memory condition when image data is processed. The vulnerability is classified as CWE-770, indicating improper limits or controls on memory allocation. If an attacker forces the library to allocate a very large block of memory, the process may become unresponsive or crash, resulting in a denial of service for the affected service.

Affected Systems

ImageMagick versions before 6.9.13-50 and before 7.1.2-25 are vulnerable. These releases lack the guard that was introduced in the patched versions 6.9.13-50 and 7.1.2-25. The vulnerability can affect any deployment of these older binaries, including those bundled in Linux and Windows distributions.

Risk and Exploitability

The CVSS score of 7.5 indicates high severity. No EPSS data is available, and the issue is not listed in CISA's KEV catalog, suggesting limited public exploitation evidence. Based on the description, it is inferred that an attacker could trigger the out-of-memory condition by providing a specially crafted image to any component that processes images with an exposed or public interface. The likelihood of exploitation therefore depends on the exposure of the image-handling service; an unprotected or externally accessible service presents a higher risk.

Generated by OpenCVE AI on June 11, 2026 at 00:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to ImageMagick 6.9.13-50 or newer, or 7.1.2-25 or newer, which includes the missing memory check.
  • Run ImageMagick processes inside a container or with Linux cgroups that enforce strict memory limits to prevent a single request from exhausting system RAM.
  • Sanitize or restrict image input before handing it to ImageMagick by disabling unsupported image types or validating image size and format against a whitelist.

Generated by OpenCVE AI on June 11, 2026 at 00:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 11 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 10 Jun 2026 23:45:00 +0000

Type Values Removed Values Added
First Time appeared Imagemagick
Imagemagick imagemagick
Vendors & Products Imagemagick
Imagemagick imagemagick

Wed, 10 Jun 2026 22:30:00 +0000

Type Values Removed Values Added
Description ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-50 and 7.1.2-25, a missing check for maximum memory request in AcquireAlignedMemory could trigger an out-of-Memory condition. This issue has been patched in versions 6.9.13-50 and 7.1.2-25.
Title ImageMagick: Policy Bypass can trigger out-of-Memory condition
Weaknesses CWE-770
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Imagemagick Imagemagick
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-11T12:39:32.671Z

Reserved: 2026-06-09T16:31:21.495Z

Link: CVE-2026-53460

cve-icon Vulnrichment

Updated: 2026-06-11T12:39:26.427Z

cve-icon NVD

Status : Received

Published: 2026-06-10T23:16:50.287

Modified: 2026-06-10T23:16:50.287

Link: CVE-2026-53460

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-11T00:45:45Z

Weaknesses
  • CWE-770

    Allocation of Resources Without Limits or Throttling