
PEACH
Un cadre d’isolation des locataires
CVE-2026-61870 is a memory leak vulnerability in ImageMagick's VIFF (Visualization Image File Format) encoder that can lead to denial of service. When memory allocation fails during VIFF image encoding, allocated memory is not properly released, allowing attackers to exhaust available system memory by processing specially crafted VIFF images. The vulnerability affects ImageMagick versions before 7.1.2-26 and before 6.9.13-51. It was published on July 11, 2026, with a CVSS v3.1 base score of 2.9 (Low) and a CVSS v4.0 base score of 2.1 (Low) (GitHub Advisory, ImageMagick Advisory).
The root cause is classified under CWE-401 (Missing Release of Memory after Effective Lifetime) and CWE-772 (Missing Release of Resource after Effective Lifetime): when a memory allocation fails within the VIFF encoder code path, the error-handling logic does not properly free previously allocated memory before returning (ImageMagick Advisory, GitHub Advisory). The attack vector is local (AV:L) with high attack complexity (AC:H) and requires specific attack prerequisites (AT:P), meaning an attacker must be able to supply a specially crafted VIFF image to an ImageMagick process. No privileges are required and no user interaction beyond the image processing operation is needed. No public proof-of-concept or technical write-up detailing the precise code location has been published at this time (Feedly).
Successful exploitation results in a low-severity availability impact: an attacker can cause memory exhaustion in the ImageMagick process, potentially crashing the service or degrading system performance. There is no impact on confidentiality or integrity, and the scope is unchanged, meaning the vulnerability does not enable lateral movement or privilege escalation beyond the affected ImageMagick instance (ImageMagick Advisory, Red Hat Bugzilla). Systems that automatically process user-supplied images (e.g., web applications using ImageMagick for image conversion) may be at higher risk of repeated exploitation leading to sustained denial of service.
convert, magick) over time, particularly when processing VIFF-format files; repeated process crashes or OOM (out-of-memory) kills related to ImageMagick./var/log/syslog, /var/log/messages) showing OOM killer events targeting ImageMagick processes; application logs showing repeated failures or errors during VIFF image processing..viff or .vif files in directories used for image upload or processing queues.Upgrade ImageMagick to version 7.1.2-26 or later (for the 7.x branch) or 6.9.13-51 or later (for the 6.x branch), which contain the fix for this memory leak (ImageMagick Advisory). As a workaround where upgrading is not immediately possible, restrict ImageMagick from processing VIFF image files by configuring ImageMagick's policy.xml to deny the VIFF format, or limit image processing to trusted sources only. Monitoring system memory usage during image processing operations can help detect potential exploitation attempts (Feedly).
The vulnerability received routine coverage from vulnerability tracking services and aggregators shortly after disclosure on July 11, 2026, including entries on VulnDB, CVEFeed, and INCIBE-CERT (Feedly). Red Hat opened a Bugzilla tracking entry and classified the issue as low severity (Red Hat Bugzilla). No notable researcher commentary, vendor statements beyond the official advisory, or significant social media discussion has been observed, consistent with the low severity rating of this vulnerability.
Source: Ce rapport a été généré à l’aide de l’IA
Évaluation gratuite des vulnérabilités
Évaluez vos pratiques de sécurité cloud dans 9 domaines de sécurité pour évaluer votre niveau de risque et identifier les failles dans vos défenses.
Obtenez une démo personnalisée
"La meilleure expérience utilisateur que j’ai jamais vue, offre une visibilité totale sur les workloads cloud."
"Wiz fournit une interface unique pour voir ce qui se passe dans nos environnements cloud."
"Nous savons que si Wiz identifie quelque chose comme critique, c’est qu’il l’est réellement."