CVE-2026-61870

LOW

ImageMagick before 7.1.2-26 Memory Leak via VIFF Encoder

Title source: cna
STIX 2.1

Description

ImageMagick before 7.1.2-26 contains a memory leak vulnerability in the VIFF encoder when memory allocation fails. Attackers can trigger allocation failures by processing specially crafted VIFF images to exhaust available memory and cause denial of service.

References (2)

Core 2
Core References
Vendor Advisory vendor-advisory
GitHub Security Advisory (GHSA-m596-67p7-69wh)
https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-m596-67p7-69wh
Third Party Advisory third-party-advisory
VulnCheck Advisory: ImageMagick before 7.1.2-26 Memory Leak via VIFF Encoder
https://www.vulncheck.com/advisories/imagemagick-before-26-memory-leak-via-viff-encoder

Scores

CVSS v3 2.9
EPSS 0.0010
EPSS Percentile 1.2%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-401
Status published
Products (5)
ImageMagick/ImageMagick < 6.9.13-51
imagemagick/imagemagick < 6.9.13-51
ImageMagick/ImageMagick < 7.1.2-26
ImageMagick/ImageMagick 6.9.13-51
ImageMagick/ImageMagick 7.1.2-26
Published Jul 11, 2026
Tracked Since Jul 11, 2026