ImageMagick
CVE-2026-53464
MEDIUM
Severity by source
AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Local invocation by any user, no privileges required, no confidentiality or integrity impact - only gradual low-severity memory exhaustion from repeated invocations.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Lifecycle Timeline
1DescriptionCVE.org
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to version 7.1.2-25, when providing invalid options to the wand option parser a small memory leak will occur. This issue has been patched in version 7.1.2-25.
AnalysisAI
Memory leak in ImageMagick's wand option parser degrades availability when invalid options are supplied, affecting all versions prior to 7.1.2-25. The leak is described as small, meaning impact is limited to gradual memory exhaustion rather than immediate resource collapse. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires local access to invoke the ImageMagick wand option parser with invalid or unrecognized option values - for example, via the command-line tool or the Wand API. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The aggregate risk signal here is low. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A local user or application-layer process invokes ImageMagick repeatedly with malformed or unsupported option strings - for example, through a bulk image processing job or an upload handler that passes user-controlled parameters. Each invocation leaks a small amount of heap memory, and over thousands of calls the process or host memory is gradually consumed, eventually degrading availability. … |
| Remediation | The primary fix is to upgrade ImageMagick to version 7.1.2-25 or later, which resolves the memory leak in the wand option parser per the vendor advisory at https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-j989-f892-2335. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Denial of service in ImageMagick prior to 6.9.13-50 and 7.1.2-25 allows remote attackers to trigger an out-of-memory con
Out-of-bounds heap write in ImageMagick's ICON decoder allows remote attackers to crash the application by supplying a m
Heap-based buffer over-write in ImageMagick's SF3 encoder prior to version 7.1.2-25 allows an attacker who can supply a
Heap-use-after-free in ImageMagick's CheckPrimitiveExtent function allows remote attackers to crash the image processing
Null pointer dereference in ImageMagick's distort operation crashes the processing process when an attacker supplies mal
Share
External POC / Exploit Code
Leaving vuln.today