ImageMagick
CVE-2026-53460
HIGH
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Crafted image reaches ImageMagick via any network-exposed processing endpoint with no auth or interaction; impact is OOM-induced availability loss only, no confidentiality or integrity effect.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
1DescriptionCVE.org
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-50 and 7.1.2-25, a missing check for maximum memory request in AcquireAlignedMemory could trigger an out-of-Memory condition. This issue has been patched in versions 6.9.13-50 and 7.1.2-25.
AnalysisAI
Denial of service in ImageMagick prior to 6.9.13-50 and 7.1.2-25 allows remote attackers to trigger an out-of-memory condition by submitting crafted images that bypass memory request validation in the AcquireAlignedMemory routine. The CVSS 7.5 (AV:N/AC:L/PR:N/UI:N) vector reflects unauthenticated network exploitability with high availability impact but no confidentiality or integrity loss. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that an attacker can deliver an arbitrary image payload to a code path that calls AcquireAlignedMemory in ImageMagick before 6.9.13-50 (6.x) or 7.1.2-25 (7.x) - typically any application that accepts user-supplied images and invokes convert, identify, mogrify, or a MagickWand/Magick++ binding. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are mixed. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker uploads a specially crafted image - for example one with declared dimensions or channel counts that force AcquireAlignedMemory to request a huge buffer - to any public endpoint that hands the file to ImageMagick (avatar upload, document thumbnailer, OCR preprocessing). The unchecked allocation request exceeds available memory and the conversion worker (or the host, if unconfined) is killed by the OOM killer, denying service to other users. … |
| Remediation | Vendor-released patch: upgrade to ImageMagick 6.9.13-50 or 7.1.2-25 (or later) per GHSA-q62c-h75r-2xhc (https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-q62c-h75r-2xhc); downstream distribution packages should be tracked and updated as backports become available. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all systems running ImageMagick (especially production image upload/processing endpoints) and document current versions; disable or restrict public access to image processing services where operationally feasible. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Out-of-bounds heap write in ImageMagick's ICON decoder allows remote attackers to crash the application by supplying a m
Heap-based buffer over-write in ImageMagick's SF3 encoder prior to version 7.1.2-25 allows an attacker who can supply a
Heap-use-after-free in ImageMagick's CheckPrimitiveExtent function allows remote attackers to crash the image processing
Null pointer dereference in ImageMagick's distort operation crashes the processing process when an attacker supplies mal
Memory leak in ImageMagick's wand option parser degrades availability when invalid options are supplied, affecting all v
Share
External POC / Exploit Code
Leaving vuln.today