CVE-2026-61857
ImageMagick Analyse et atténuation des vulnérabilités

Aperçu

CVE-2026-61857 is a heap use-after-free vulnerability in ImageMagick caused by a missing null check when parsing XMP profiles. Attackers can craft malicious image files with specially crafted XMP data to trigger the flaw and cause application crashes. The vulnerability affects ImageMagick versions before 7.1.2-26 (7.x branch) and before 6.9.13-51 (6.x branch). It was published on July 11, 2026, with a CVSS v3.1 score of 3.7 (Low) and a CVSS v4.0 score of 6.3 (Medium) (GitHub Advisory, ImageMagick Advisory).

Détails techniques

The root cause is a missing null check during XMP profile parsing, which leads to a heap use-after-free condition (CWE-416 estimated; formally classified as CWE-252 Unchecked Return Value and CWE-476 NULL Pointer Dereference). When ImageMagick processes an image file containing a specially crafted XMP metadata block, the parser fails to validate a pointer before use, resulting in access to freed heap memory. The attack vector is network-based with high complexity and no privileges or user interaction required, though specific attack prerequisites must be present (e.g., the application must process attacker-supplied image files). The vulnerability was reported by researcher "rexpository" (ImageMagick Advisory, Red Hat Bugzilla).

Impact

Successful exploitation results in an application crash, causing a denial of service. There is no impact to confidentiality or integrity — the vulnerability is limited to availability of the affected ImageMagick process. In environments where ImageMagick is used as a backend image processing service (e.g., web applications accepting user-uploaded images), repeated exploitation could disrupt service availability, but lateral movement or data exfiltration are not associated with this vulnerability (GitHub Advisory, ImageMagick Advisory).

Étapes d’exploitation

  1. Identify target: Locate a service or application that uses a vulnerable version of ImageMagick (before 7.1.2-26 or before 6.9.13-51) to process user-supplied image files, such as a web application with image upload functionality.
  2. Craft malicious image: Create an image file (e.g., JPEG, PNG, TIFF) containing a specially crafted XMP metadata profile designed to trigger the missing null check during parsing — for example, an XMP block with malformed or truncated data that causes a pointer to be used after the associated memory has been freed.
  3. Submit the file: Upload or submit the crafted image to the target application, causing ImageMagick to process it server-side.
  4. Trigger crash: The malformed XMP data causes a heap use-after-free condition in ImageMagick's XMP parsing code, resulting in an application crash and denial of service (ImageMagick Advisory, GitHub Advisory).

Indicateurs de compromis

  • Logs: Repeated application crashes or segmentation fault errors in ImageMagick process logs; error messages referencing XMP profile parsing failures or heap corruption.
  • Process: Unexpected termination of ImageMagick worker processes (e.g., convert, magick) shortly after processing uploaded image files.
  • File System: Presence of suspicious image files with anomalous or oversized XMP metadata sections in upload directories or temporary processing folders.
  • Network: High volume of image upload requests containing files with unusual XMP metadata, particularly from a single source IP, which may indicate automated crash-triggering attempts.

Atténuation et solutions de contournement

Upgrade ImageMagick to version 7.1.2-26 or later (7.x branch) or 6.9.13-51 or later (6.x branch) to remediate the vulnerability. As a workaround, restrict image upload functionality to trusted sources and consider implementing input validation or stripping of XMP metadata from image files before processing. Disabling or sandboxing ImageMagick in environments where untrusted image files are processed can further reduce risk (ImageMagick Advisory, Red Hat Bugzilla).

Réactions de la communauté

The vulnerability was assigned a low severity rating by the ImageMagick maintainers and published via GitHub Security Advisories on June 26, 2026. Red Hat opened a tracking bug (BZ#2499382) and classified it as medium priority/severity for their products. No significant broader media coverage or notable researcher commentary beyond the initial disclosure has been identified (ImageMagick Advisory, Red Hat Bugzilla).

Ressources additionnelles


SourceCe rapport a été généré à l’aide de l’IA

Apparenté ImageMagick Vulnérabilités:

Identifiant CVE

Sévérité

Score

Technologies

Nom du composant

Exploit CISA KEV

A corrigé

Date de publication

CVE-2026-61861MEDIUM6.3
  • ImageMagick logoImageMagick
  • ImageMagick-c++
NonOuiJul 11, 2026
CVE-2026-61857MEDIUM6.3
  • ImageMagick logoImageMagick
  • cpe:2.3:a:imagemagick:imagemagick
NonOuiJul 11, 2026
CVE-2026-61858MEDIUM4.8
  • ImageMagick logoImageMagick
  • ImageMagick-devel
NonOuiJul 11, 2026
CVE-2026-61465MEDIUM4.8
  • ImageMagick logoImageMagick
  • cpe:2.3:a:imagemagick:imagemagick
NonOuiJul 11, 2026
CVE-2026-61870LOW2.1
  • ImageMagick logoImageMagick
  • ImageMagick
NonOuiJul 11, 2026

Évaluation gratuite des vulnérabilités

Évaluez votre posture de sécurité dans le cloud

Évaluez vos pratiques de sécurité cloud dans 9 domaines de sécurité pour évaluer votre niveau de risque et identifier les failles dans vos défenses.

Demander une évaluation

Obtenez une démo personnalisée

Prêt(e) à voir Wiz en action ?

"La meilleure expérience utilisateur que j’ai jamais vue, offre une visibilité totale sur les workloads cloud."
David EstlickRSSI
"Wiz fournit une interface unique pour voir ce qui se passe dans nos environnements cloud."
Adam FletcherChef du service de sécurité
"Nous savons que si Wiz identifie quelque chose comme critique, c’est qu’il l’est réellement."
Greg PoniatowskiResponsable de la gestion des menaces et des vulnérabilités