Description
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-50 and 7.1.2-25, when an allocation fails in CheckPrimitiveExtent this can result in a heap-use-after-free and result in a crash. This issue has been patched in versions 6.9.13-50 and 7.1.2-25.
Published: 2026-06-10
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

ImageMagick is an image manipulation library. A failure to allocate memory during CheckPrimitiveExtent results in a heap‑use‑after‑free, which is a use‑after‑free flaw (CWE‑416) and also a memory operation error (CWE‑825). The flaw causes the program to crash but does not directly grant code execution. The vulnerability can be triggered when an attacker supplies a specially crafted image to a service that uses the vulnerable path, leading to a denial‑of‑service condition.

Affected Systems

Versions prior to 6.9.13‑50 and 7.1.2‑25 of ImageMagick are affected. The vulnerability applies to the ImageMagick application across all supported platforms where older binaries are used.

Risk and Exploitability

The CVSS score is 5.9, indicating a moderate risk assessment. EPSS score is < 1%, showing a very low likelihood of exploitation. The flaw is not listed in CISA’s KEV catalog. The attack would likely occur when an attacker supplies a specially crafted image file to a service that invokes the vulnerable allocation path, potentially causing the application to crash.

Generated by OpenCVE AI on June 12, 2026 at 01:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade ImageMagick to version 6.9.13‑50 or higher, or 7.1.2‑25 or higher.
  • If an upgrade is not immediately possible, restrict the processing of untrusted images or disable the vulnerable code path through configuration changes.
  • Continuously monitor application logs for segmentation faults or crashes that may indicate an exploitation attempt.

Generated by OpenCVE AI on June 12, 2026 at 01:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-px7q-ggqj-hcf2 ImageMagick has a Use-After-Free when allocation in CheckPrimitiveExtent fails
History

Fri, 12 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-825
References
Metrics threat_severity

None

threat_severity

Low


Thu, 11 Jun 2026 18:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:imagemagick:imagemagick:*:*:*:*:*:*:*:*

Thu, 11 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 11 Jun 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Imagemagick
Imagemagick imagemagick
Vendors & Products Imagemagick
Imagemagick imagemagick

Wed, 10 Jun 2026 22:30:00 +0000

Type Values Removed Values Added
Description ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-50 and 7.1.2-25, when an allocation fails in CheckPrimitiveExtent this can result in a heap-use-after-free and result in a crash. This issue has been patched in versions 6.9.13-50 and 7.1.2-25.
Title ImageMagick: Use-After-Free when allocation in CheckPrimitiveExtent fails
Weaknesses CWE-416
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H'}


Subscriptions

Imagemagick Imagemagick
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-11T15:45:14.175Z

Reserved: 2026-06-09T16:31:21.495Z

Link: CVE-2026-53462

cve-icon Vulnrichment

Updated: 2026-06-11T15:45:07.362Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-10T23:16:50.580

Modified: 2026-06-11T18:43:32.803

Link: CVE-2026-53462

cve-icon Redhat

Severity : Low

Publid Date: 2026-06-10T22:04:53Z

Links: CVE-2026-53462 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-12T02:00:12Z

Weaknesses