CVE-2026-61465
ImageMagick Analyse et atténuation des vulnérabilités

Aperçu

CVE-2026-61465 is a denial-of-service vulnerability in ImageMagick caused by a missing memory allocation limit check in matrix-backed image processing operations such as -canny. Affected versions include ImageMagick before 7.1.2-26 (7.x branch) and before 6.9.13-51 (6.9.x branch). The vulnerability was published on July 11, 2026, with the original security advisory (GHSA-rvhp-75f6-9jqh) credited to reporter rexpository and published by maintainer dlemstra on June 26, 2026. It carries a CVSS v3.1 base score of 3.3 (Low) and a CVSS v4.0 base score of 4.8 (Medium) (GitHub Advisory, ImageMagick Advisory, Red Hat Bugzilla).

Détails techniques

The root cause is classified as CWE-770 (Allocation of Resources Without Limits or Throttling), with additional weaknesses noted as CWE-284 (Improper Access Control) and CWE-400 (Uncontrolled Resource Consumption). Matrix-backed operations in ImageMagick — such as the -canny edge detection filter — fail to enforce the memory allocation limits defined in the application's security policy, allowing unbounded memory allocation during image processing. An attacker exploits this by supplying a specially crafted image file that, when processed by a vulnerable ImageMagick instance, triggers excessive memory allocation beyond the configured policy ceiling. Exploitation requires local access and user interaction (i.e., a user or automated process must open or process the malicious image) (ImageMagick Advisory, GitHub Advisory).

Impact

Successful exploitation results in a denial-of-service condition, causing ImageMagick to exhaust available system memory and become unresponsive or crash. There is no impact on confidentiality or data integrity — the vulnerability is limited to availability. Systems that use ImageMagick for automated image processing pipelines (e.g., web applications, media servers) are at elevated risk if they process untrusted user-supplied images (ImageMagick Advisory, Red Hat Bugzilla).

Étapes d’exploitation

  1. Craft a malicious image: Create or obtain a specially crafted image file (e.g., a TIFF or PNG) designed to trigger excessive memory allocation when processed by ImageMagick's matrix-backed operations such as -canny.
  2. Deliver the image: Place the crafted image in a location where a vulnerable ImageMagick instance will process it — for example, uploading it to a web application that uses ImageMagick for image transformation, or placing it in a directory monitored by an automated processing script.
  3. Trigger processing: Cause ImageMagick to process the image using a matrix-backed operation (e.g., convert malicious.png -canny 0x1+10%+30% output.png), which bypasses the configured memory allocation policy.
  4. Achieve denial of service: ImageMagick allocates memory beyond the policy limit, exhausting system memory and causing the process (and potentially the host application) to crash or become unresponsive (ImageMagick Advisory, GitHub Advisory).

Indicateurs de compromis

  • Process Behavior: ImageMagick processes (convert, magick) consuming abnormally high memory when processing specific image files, particularly those invoking -canny or other matrix-backed operations.
  • Logs: System logs (e.g., /var/log/syslog, dmesg) showing OOM (Out of Memory) killer events triggered by ImageMagick processes; application logs showing ImageMagick crashes or unexpected terminations.
  • File System: Presence of unexpected or unusually large image files in upload directories or processing queues that consistently cause ImageMagick to crash.
  • Network: For web-facing applications, repeated upload requests of the same or similar image files from a single source IP, particularly targeting image processing endpoints.

Atténuation et solutions de contournement

Upgrade ImageMagick to version 7.1.2-26 or later (7.x branch) or 6.9.13-51 or later (6.9.x branch) to remediate the vulnerability. As interim mitigations, enforce OS-level memory limits on ImageMagick processes using tools such as ulimit or cgroups to constrain maximum memory usage. Restrict access to ImageMagick processing capabilities to trusted users or processes where possible, and avoid processing untrusted user-supplied images with matrix-backed operations until patched (ImageMagick Advisory, Red Hat Bugzilla).

Réactions de la communauté

The vulnerability received routine coverage across vulnerability tracking platforms including VulnDB, VulnCheck, INCIBE-CERT, and OSV shortly after disclosure. Red Hat opened a tracking bug (BZ#2499374) and classified it as medium severity. No notable researcher commentary or significant community discussion has been observed beyond standard vulnerability database entries (Red Hat Bugzilla).

Ressources additionnelles


SourceCe rapport a été généré à l’aide de l’IA

Apparenté ImageMagick Vulnérabilités:

Identifiant CVE

Sévérité

Score

Technologies

Nom du composant

Exploit CISA KEV

A corrigé

Date de publication

CVE-2026-61861MEDIUM6.3
  • ImageMagick logoImageMagick
  • ImageMagick-c++
NonOuiJul 11, 2026
CVE-2026-61857MEDIUM6.3
  • ImageMagick logoImageMagick
  • cpe:2.3:a:imagemagick:imagemagick
NonOuiJul 11, 2026
CVE-2026-61858MEDIUM4.8
  • ImageMagick logoImageMagick
  • ImageMagick-devel
NonOuiJul 11, 2026
CVE-2026-61465MEDIUM4.8
  • ImageMagick logoImageMagick
  • cpe:2.3:a:imagemagick:imagemagick
NonOuiJul 11, 2026
CVE-2026-61870LOW2.1
  • ImageMagick logoImageMagick
  • ImageMagick
NonOuiJul 11, 2026

Évaluation gratuite des vulnérabilités

Évaluez votre posture de sécurité dans le cloud

Évaluez vos pratiques de sécurité cloud dans 9 domaines de sécurité pour évaluer votre niveau de risque et identifier les failles dans vos défenses.

Demander une évaluation

Obtenez une démo personnalisée

Prêt(e) à voir Wiz en action ?

"La meilleure expérience utilisateur que j’ai jamais vue, offre une visibilité totale sur les workloads cloud."
David EstlickRSSI
"Wiz fournit une interface unique pour voir ce qui se passe dans nos environnements cloud."
Adam FletcherChef du service de sécurité
"Nous savons que si Wiz identifie quelque chose comme critique, c’est qu’il l’est réellement."
Greg PoniatowskiResponsable de la gestion des menaces et des vulnérabilités