Description
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to version 7.1.2-25, when providing invalid options to the wand option parser a small memory leak will occur. This issue has been patched in version 7.1.2-25.
Published: 2026-06-10
Score: 4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

ImageMagick is a widely used open‑source image editing library. Prior to version 7.1.2‑25 invalid options passed to its wand option parser trigger a small memory leak. A memory leak can lead to gradual exhaustion of system resources, potentially causing a denial of service if an attacker repeatedly submits bad arguments. The weakness is identified as CWE‑401, unchecked or improperly handled memory leakage, and CWE‑772, missing release of memory after its effective lifetime.

Affected Systems

Vendors and products: ImageMagick ImageMagick. Affected versions are all releases older than 7.1.2‑25; the patch was applied in 7.1.2‑25. No specific sub‑product versions other than the major version are listed.

Risk and Exploitability

The CVSS score of 4.0 indicates moderate severity, suggesting that while the vulnerability is not high‑impact, repeated exploitation can degrade system performance. The EPSS score of 0.013% indicates a very low but non‑zero probability of exploitation. It is not listed in the CISA KEV catalog. Inference: the attack vector would involve supplying crafted wand options to a running ImageMagick instance, which is commonly performed during image processing by web applications, or via a standalone command line invocation. The legitimate use of ImageMagick may make it easier for attackers to trigger the bug if a vulnerable process is exposed.

Generated by OpenCVE AI on June 12, 2026 at 01:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade ImageMagick to version 7.1.2‑25 or newer to apply the memory leak fix.
  • Validate or sanitize wand options before passing them to ImageMagick to ensure no malformed arguments are accepted.
  • Monitor memory consumption of ImageMagick processes and consider sandboxing or resource limiting to mitigate potential denial of service.

Generated by OpenCVE AI on June 12, 2026 at 01:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6356-1 imagemagick security update
Github GHSA Github GHSA GHSA-j989-f892-2335 ImageMagick: Memory Leak in wand option parser when providing invalid arguments
History

Fri, 12 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-772
References
Metrics threat_severity

None

threat_severity

Low


Thu, 11 Jun 2026 18:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:imagemagick:imagemagick:*:*:*:*:*:*:*:*

Thu, 11 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 11 Jun 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Imagemagick
Imagemagick imagemagick
Vendors & Products Imagemagick
Imagemagick imagemagick

Wed, 10 Jun 2026 22:30:00 +0000

Type Values Removed Values Added
Description ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to version 7.1.2-25, when providing invalid options to the wand option parser a small memory leak will occur. This issue has been patched in version 7.1.2-25.
Title ImageMagick: Memory Leak in wand option parser when providing invalid arguments
Weaknesses CWE-401
References
Metrics cvssV3_1

{'score': 4, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}


Subscriptions

Imagemagick Imagemagick
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-11T12:38:53.826Z

Reserved: 2026-06-09T16:31:21.495Z

Link: CVE-2026-53464

cve-icon Vulnrichment

Updated: 2026-06-11T12:38:49.253Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-10T23:16:50.857

Modified: 2026-06-11T18:43:13.637

Link: CVE-2026-53464

cve-icon Redhat

Severity : Low

Publid Date: 2026-06-10T22:07:06Z

Links: CVE-2026-53464 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-12T02:00:12Z

Weaknesses
  • CWE-401

    Missing Release of Memory after Effective Lifetime

  • CWE-772

    Missing Release of Resource after Effective Lifetime