Description
ImageMagick before 7.1.2-15 and 6.9.13-40 contains a heap use-after-free in the meta coder: when memory allocation fails, a single byte is written to a stale pointer. Remote attackers can trigger it by processing specially crafted image files, causing a denial of service.
Published: 2026-06-23
Score: 6.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

ImageMagick contains a heap use‑after‑free flaw in the meta coder. When a memory allocation fails, a single byte is written to a stale pointer, which can trigger a denial of service. The weakness is a classic use‑after‑free (CWE‑416).

Affected Systems

The vulnerability affects all users of ImageMagick versions prior to 7.1.2‑15 and 6.9.13‑40. These versions are installed under the ImageMagick product from the ImageMagick vendor.

Risk and Exploitability

The CVSS score of 6.3 indicates moderate severity. Because the EPSS score is not available and the vulnerability is not listed in CISA KEV, the risk is considered moderate but not highly prioritized. Remote attackers can trigger the fault by providing a specially crafted image file; the exploit results in a denial of service, potentially impacting availability of any service that processes images using ImageMagick.

Generated by OpenCVE AI on June 23, 2026 at 13:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade ImageMagick to version 7.1.2‑15 or later, or 6.9.13‑40 or later.
  • If an upgrade is not possible, isolate image processing in a sandboxed environment with limited privileges.
  • Implement input validation to skip or reject malformed image files that could trigger allocation failures.

Generated by OpenCVE AI on June 23, 2026 at 13:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 23 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 23 Jun 2026 12:45:00 +0000

Type Values Removed Values Added
Description ImageMagick before 7.1.2-15 and 6.9.13-40 contains a heap use-after-free in the meta coder: when memory allocation fails, a single byte is written to a stale pointer. Remote attackers can trigger it by processing specially crafted image files, causing a denial of service.
Title ImageMagick - Heap Use-After-Free in Meta Coder
First Time appeared Imagemagick
Imagemagick imagemagick
Weaknesses CWE-416
CPEs cpe:2.3:a:imagemagick:imagemagick:*:*:*:*:*:*:*:*
Vendors & Products Imagemagick
Imagemagick imagemagick
References
Metrics cvssV3_1

{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L'}

cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Imagemagick Imagemagick
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-23T13:06:10.787Z

Reserved: 2026-06-21T02:05:47.495Z

Link: CVE-2026-56376

cve-icon Vulnrichment

Updated: 2026-06-23T13:06:05.780Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-23T13:30:03Z

Weaknesses