CVE-2026-61857

LOW

ImageMagick before 7.1.2-26 Heap Use-After-Free via XMP

Title source: cna
STIX 2.1

Description

ImageMagick before 7.1.2-26 contains a heap use-after-free vulnerability caused by missing null check when parsing XMP profiles. Attackers can craft malicious image files with specially crafted XMP data to trigger the vulnerability and cause application crashes.

References (2)

Core 2
Core References
Vendor Advisory vendor-advisory
GitHub Security Advisory (GHSA-qh5g-q395-cx4j)
https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-qh5g-q395-cx4j
Third Party Advisory third-party-advisory
VulnCheck Advisory: ImageMagick before 7.1.2-26 Heap Use-After-Free via XMP
https://www.vulncheck.com/advisories/imagemagick-before-26-heap-use-after-free-via-xmp

Scores

CVSS v3 3.7
EPSS 0.0023
EPSS Percentile 13.3%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-252
Status published
Products (5)
ImageMagick/ImageMagick < 6.9.13-51
imagemagick/imagemagick < 6.9.13-51
ImageMagick/ImageMagick < 7.1.2-26
ImageMagick/ImageMagick 6.9.13-51
ImageMagick/ImageMagick 7.1.2-26
Published Jul 11, 2026
Tracked Since Jul 11, 2026