Description
ImageMagick before 7.1.2-15 and 6.9.13-40 contains a memory leak in coders/txt.c when processing TXT files with texture attributes: the texture object allocated via ReadImage is not released when GetTypeMetrics fails, leaking memory each time a crafted TXT file with a texture attribute is processed.
Published: 2026-06-23
Score: 0 Low
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

ImageMagick releases a memory allocation when processing TXT files that contain a texture attribute. If the ReadImage function succeeds but the subsequent GetTypeMetrics call fails, the texture object that was allocated is never freed, leading to progressively leaked memory for every such file processed. This leak does not expose sensitive data directly, but repeated use of crafted TXT files can exhaust system memory and cause application or system instability.

Affected Systems

The vulnerability affects ImageMagick releases older than version 7.1.2‑15 and 6.9.13‑40. All installations of the ImageMagick software suite should verify their version and apply an update where available.

Risk and Exploitability

Because the leak occurs during normal file parsing, an attacker must supply or force the processing of malicious TXT files. No privileged code execution or direct data disclosure is required. The exploit likelihood is uncertain due to lack of EPSS data, and the defect is not listed in the CISA KEV catalog, suggesting no publicly available exploits yet. However, the potential to trigger a denial of service remains significant, especially on systems that routinely handle untrusted image and text input.

Generated by OpenCVE AI on June 23, 2026 at 13:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade ImageMagick to version 7.1.2‑15 or newer, or 6.9.13‑40 or newer, where the memory leak is fixed.
  • If upgrading is not immediately possible, filter or sanitize TXT files to remove texture attributes before they reach the ImageMagick parser.
  • Monitor memory consumption on servers running ImageMagick, and set limits or automatic restarts to mitigate any accidental memory exhaustion.

Generated by OpenCVE AI on June 23, 2026 at 13:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 23 Jun 2026 12:45:00 +0000

Type Values Removed Values Added
Description ImageMagick before 7.1.2-15 and 6.9.13-40 contains a memory leak in coders/txt.c when processing TXT files with texture attributes: the texture object allocated via ReadImage is not released when GetTypeMetrics fails, leaking memory each time a crafted TXT file with a texture attribute is processed.
Title ImageMagick - Memory Leak in TXT File Processing via Texture Attribute
First Time appeared Imagemagick
Imagemagick imagemagick
Weaknesses CWE-401
CPEs cpe:2.3:a:imagemagick:imagemagick:*:*:*:*:*:*:*:*
Vendors & Products Imagemagick
Imagemagick imagemagick
References
Metrics cvssV3_1

{'score': 0, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N'}

cvssV4_0

{'score': 0, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Imagemagick Imagemagick
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-23T12:13:04.085Z

Reserved: 2026-06-21T02:05:21.920Z

Link: CVE-2026-56371

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-23T17:15:04Z

Weaknesses
  • CWE-401

    Missing Release of Memory after Effective Lifetime