
PEACH
Un cadre d’isolation des locataires
CVE-2026-61861 is a use-after-free vulnerability in ImageMagick's FormatMagickCaption method, triggered when memory allocation fails, leaving a dangling pointer referencing freed memory. It affects ImageMagick versions before 7.1.2-26 (7.x branch) and before 6.9.13-51 (6.x branch). The vulnerability was published on July 11, 2026, and was reported by researcher RigelYoung. It carries a CVSS v3.1 base score of 3.7 (Low) and a CVSS v4.0 base score of 6.3 (Medium) (GitHub Advisory, Github Advisory DB).
The root cause is classified as CWE-416 (Use After Free) and CWE-825 (Expired Pointer Dereference). Inside the FormatMagickCaption method, when a memory allocation call fails, the code does not properly nullify or invalidate the pointer to the previously freed memory block, resulting in a dangling pointer. An unauthenticated network-based attacker can craft inputs that trigger this allocation failure path — for example, by supplying specially crafted image files or caption data that causes memory pressure — causing the dangling pointer to be subsequently dereferenced. Exploitation requires high attack complexity and the presence of specific deployment conditions (attack requirements: present), limiting ease of exploitation (GitHub Advisory, Red Hat Bugzilla).
The primary impact is availability loss — successful exploitation can cause a denial of service by crashing the ImageMagick process through dereferencing freed memory. In more severe scenarios, the use-after-free condition could theoretically be leveraged for arbitrary code execution if an attacker can control memory layout at the time of the dereference, though this is considered difficult given the high attack complexity. There is no assessed impact to confidentiality or integrity of the vulnerable system (Github Advisory DB, Red Hat Bugzilla).
Upgrade ImageMagick to version 7.1.2-26 or later (7.x branch) or 6.9.13-51 or later (6.x branch), which contain the fix for this vulnerability (GitHub Advisory). If immediate patching is not feasible, restrict network access to services that process images via ImageMagick and monitor for unexpected process crashes or memory allocation errors. Applying OS-level memory protections such as ASLR and enabling crash reporting can help detect and limit exploitation attempts.
The vulnerability was assigned a low severity rating by the ImageMagick maintainer (dlemstra) and credited to reporter RigelYoung (GitHub Advisory). Red Hat opened a tracking bug classifying it as medium priority/severity (Red Hat Bugzilla). No significant broader community discussion or media coverage has been observed beyond standard vulnerability database aggregation.
Source: Ce rapport a été généré à l’aide de l’IA
Évaluation gratuite des vulnérabilités
Évaluez vos pratiques de sécurité cloud dans 9 domaines de sécurité pour évaluer votre niveau de risque et identifier les failles dans vos défenses.
Obtenez une démo personnalisée
"La meilleure expérience utilisateur que j’ai jamais vue, offre une visibilité totale sur les workloads cloud."
"Wiz fournit une interface unique pour voir ce qui se passe dans nos environnements cloud."
"Nous savons que si Wiz identifie quelque chose comme critique, c’est qu’il l’est réellement."