CVE-2026-56368: 
C# 脆弱性の分析と軽減

CVE-2026-56368 is a memory leak vulnerability in ImageMagick affecting multiple coders that write raw pixel data, where allocated objects are not properly freed after use. It affects ImageMagick versions before 7.1.2-15 (7.x branch) and before 6.9.13-40 (6.x branch). The vulnerability was published on June 24, 2026, and was originally disclosed via a GitHub Security Advisory (GHSA-wfx3-6g53-9fgc) credited to researcher ylwango613. It carries a CVSS v3.1 base score of 3.7 (Low) and a CVSS v4.0 base score of 6.3 (Medium) (GitHub Advisory, VulnCheck).

The vulnerability is classified as CWE-401 (Missing Release of Memory after Effective Lifetime), where memory allocated during raw pixel data writing operations in multiple ImageMagick coders is never freed. Specifically, a direct leak of 160 bytes in one object has been identified as allocated but not released during the affected coder operations. An attacker can trigger this leak by submitting a specially crafted image file for processing — no authentication or user interaction is required, though exploitation requires high attack complexity (e.g., specific conditions or timing). The attack vector is network-based, meaning the vulnerability can be triggered remotely wherever ImageMagick processes user-supplied images (GitHub Advisory).

Successful exploitation causes gradual memory exhaustion on the affected host, ultimately resulting in a denial of service condition. There is no impact on confidentiality or integrity — the vulnerability is limited to availability. In environments where ImageMagick processes high volumes of user-supplied images (e.g., web applications, media pipelines), repeated triggering of the leak could degrade or crash the service over time (GitHub Advisory, VulnCheck).

Users should upgrade to ImageMagick 7.1.2-15 or later (for the 7.x branch) or 6.9.13-40 or later (for the 6.x branch), which contain the fix for this memory leak. No configuration-based workarounds have been published. As an interim measure, operators can limit or sandbox ImageMagick's processing of untrusted images to reduce exposure until patching is feasible (GitHub Advisory, VulnCheck).