CVE-2026-61858
ImageMagick Analyse et atténuation des vulnérabilités

Aperçu

CVE-2026-61858 is a policy bypass vulnerability in ImageMagick's APNG encoder and external delegates caused by missing validation checks. It affects ImageMagick versions before 7.1.2-26 (7.x branch) and before 6.9.13-51 (6.x branch). The vulnerability was published on July 11, 2026, and was assigned a CVSS v3.1 base score of 3.3 (Low) and a CVSS v4.0 base score of 4.8 (Medium) (GitHub Advisory, Github Advisory). The vulnerability was reported by researcher "rexpository" and assigned by VulnCheck (GitHub Advisory).

Détails techniques

The root cause is a missing authorization and path validation check in the APNG encoder and external delegate handling code, classified as CWE-59 (Improper Link Resolution Before File Access / Link Following), CWE-22 (Path Traversal), and CWE-862 (Missing Authorization) (GitHub Advisory, Github Advisory). An attacker with local, low-privileged access can craft an APNG encoding operation that bypasses ImageMagick's configured policy restrictions, allowing file writes to paths that should be disallowed by the policy configuration. No user interaction is required, and the attack complexity is low, but exploitation is limited to local access (Github Advisory). No public proof-of-concept exploit code has been identified at this time.

Impact

Successful exploitation allows a low-privileged local attacker to write files to paths that are explicitly restricted by ImageMagick's security policy, undermining the integrity of the file system and the effectiveness of policy-based access controls. The impact is limited to integrity — there is no confidentiality or availability impact — and the scope is unchanged, meaning the attacker cannot directly affect resources outside the vulnerable component (GitHub Advisory). In environments where ImageMagick is used as a shared service or in multi-tenant contexts, this could allow unauthorized file modification in sensitive directories, potentially enabling privilege escalation or persistence if writable paths include configuration or executable locations (bugzilla.redhat.com).

Étapes d’exploitation

  1. Gain local access: Obtain a low-privileged local account on a system running a vulnerable version of ImageMagick (before 7.1.2-26 or 6.9.13-51).
  2. Identify policy restrictions: Review the ImageMagick policy.xml configuration file (typically at /etc/ImageMagick-7/policy.xml) to identify paths or operations that are explicitly denied.
  3. Craft a malicious APNG input: Prepare a specially crafted APNG image or encoding request that exploits the missing validation check in the APNG encoder or external delegate to reference a disallowed output path.
  4. Invoke ImageMagick: Execute an ImageMagick command (e.g., convert input.png output.apng) using the crafted input, triggering the APNG encoder code path that bypasses policy enforcement.
  5. Write to restricted path: The missing authorization check allows the output file to be written to a path that should be blocked by policy, potentially placing files in sensitive directories (GitHub Advisory).

Indicateurs de compromis

  • File System: Unexpected files appearing in directories that are explicitly restricted in ImageMagick's policy.xml; APNG files written to paths outside of expected output directories.
  • Logs: ImageMagick invocations in system or application logs involving APNG output to unusual or restricted paths; absence of expected policy denial log entries when writes to restricted paths occur.
  • Process: Unusual convert or magick process invocations by low-privileged users targeting sensitive directories as output destinations.

Atténuation et solutions de contournement

Users should upgrade to ImageMagick 7.1.2-26 or later (7.x branch) or 6.9.13-51 or later (6.x branch) to remediate this vulnerability (GitHub Advisory). As a workaround prior to patching, administrators can restrict local user access to ImageMagick binaries, tighten OS-level file system permissions on sensitive directories, or disable APNG encoding in the ImageMagick policy configuration. Red Hat has tracked this issue and is assessing impact on affected products (bugzilla.redhat.com).

Réactions de la communauté

The vulnerability was disclosed by ImageMagick maintainer "dlemstra" via a GitHub Security Advisory and credited to reporter "rexpository" (GitHub Advisory). Red Hat opened a Bugzilla tracking entry shortly after disclosure, indicating active monitoring by major Linux distributors (bugzilla.redhat.com). Community and social media reaction has been minimal, consistent with the low severity rating and limited exploitation potential of this vulnerability.

Ressources additionnelles


SourceCe rapport a été généré à l’aide de l’IA

Apparenté ImageMagick Vulnérabilités:

Identifiant CVE

Sévérité

Score

Technologies

Nom du composant

Exploit CISA KEV

A corrigé

Date de publication

CVE-2026-61861MEDIUM6.3
  • ImageMagick logoImageMagick
  • ImageMagick-c++
NonOuiJul 11, 2026
CVE-2026-61857MEDIUM6.3
  • ImageMagick logoImageMagick
  • cpe:2.3:a:imagemagick:imagemagick
NonOuiJul 11, 2026
CVE-2026-61858MEDIUM4.8
  • ImageMagick logoImageMagick
  • ImageMagick-devel
NonOuiJul 11, 2026
CVE-2026-61465MEDIUM4.8
  • ImageMagick logoImageMagick
  • cpe:2.3:a:imagemagick:imagemagick
NonOuiJul 11, 2026
CVE-2026-61870LOW2.1
  • ImageMagick logoImageMagick
  • ImageMagick
NonOuiJul 11, 2026

Évaluation gratuite des vulnérabilités

Évaluez votre posture de sécurité dans le cloud

Évaluez vos pratiques de sécurité cloud dans 9 domaines de sécurité pour évaluer votre niveau de risque et identifier les failles dans vos défenses.

Demander une évaluation

Obtenez une démo personnalisée

Prêt(e) à voir Wiz en action ?

"La meilleure expérience utilisateur que j’ai jamais vue, offre une visibilité totale sur les workloads cloud."
David EstlickRSSI
"Wiz fournit une interface unique pour voir ce qui se passe dans nos environnements cloud."
Adam FletcherChef du service de sécurité
"Nous savons que si Wiz identifie quelque chose comme critique, c’est qu’il l’est réellement."
Greg PoniatowskiResponsable de la gestion des menaces et des vulnérabilités