Description
ImageMagick before 7.1.2-15 and 6.9.13-40 contains a heap use-after-free in the meta coder: when memory allocation fails, a single byte is written to a stale pointer. Remote attackers can trigger it by processing specially crafted image files, causing a denial of service.
Published: 2026-06-23
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

ImageMagick contains a heap use‑after‑free flaw in the meta coder. When a memory allocation fails, a single byte is written to a stale pointer, which can trigger a denial of service. The weakness is a classic use‑after‑free (CWE‑416) and also involves improper buffer direct access to heap memory (CWE‑825).

Affected Systems

The vulnerability affects all users of ImageMagick versions prior to 7.1.2‑15 and 6.9.13‑40. These versions are installed under the ImageMagick product from the ImageMagick vendor.

Risk and Exploitability

The CVSS score of 6.3 indicates moderate severity. The EPSS score of less than 1% combined with the absence of a CISA KEV listing indicates a very low likelihood of exploitation. Remote attackers can trigger the fault by providing a specially crafted image file; the exploit results in a denial of service, potentially impacting availability of any service that processes images using ImageMagick.

Generated by OpenCVE AI on June 25, 2026 at 02:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade ImageMagick to version 7.1.2‑15 or later, or 6.9.13‑40 or later.
  • If an upgrade is not possible, isolate image processing in a sandboxed environment with limited privileges.
  • Implement input validation and buffer size checks to mitigate buffer direct access to heap memory that could trigger allocation failures.

Generated by OpenCVE AI on June 25, 2026 at 02:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4680-1 imagemagick security update
Debian DSA Debian DSA DSA-6383-1 imagemagick security update
History

Thu, 25 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-825
References
Metrics threat_severity

None

threat_severity

Low


Tue, 23 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 23 Jun 2026 12:45:00 +0000

Type Values Removed Values Added
Description ImageMagick before 7.1.2-15 and 6.9.13-40 contains a heap use-after-free in the meta coder: when memory allocation fails, a single byte is written to a stale pointer. Remote attackers can trigger it by processing specially crafted image files, causing a denial of service.
Title ImageMagick - Heap Use-After-Free in Meta Coder
First Time appeared Imagemagick
Imagemagick imagemagick
Weaknesses CWE-416
CPEs cpe:2.3:a:imagemagick:imagemagick:*:*:*:*:*:*:*:*
Vendors & Products Imagemagick
Imagemagick imagemagick
References
Metrics cvssV3_1

{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L'}

cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N'}


Subscriptions

Imagemagick Imagemagick
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-23T13:06:10.787Z

Reserved: 2026-06-21T02:05:47.495Z

Link: CVE-2026-56376

cve-icon Vulnrichment

Updated: 2026-06-23T13:06:05.780Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Low

Publid Date: 2026-06-23T12:13:04Z

Links: CVE-2026-56376 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T03:00:10Z

Weaknesses