Home

Description

ImageMagick before 7.1.2-26 contains a heap use-after-free vulnerability caused by missing null check when parsing XMP profiles. Attackers can craft malicious image files with specially crafted XMP data to trigger the vulnerability and cause application crashes.

PUBLISHED Reserved 2026-07-10 | Published 2026-07-11 | Updated 2026-07-11 | Assigner VulnCheck




MEDIUM: 6.3CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
LOW: 3.7CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

Problem types

Unchecked Return Value

Product status

Default status
unaffected

Any version before 7.1.2-26
affected

7.1.2-26 (semver)
unaffected

Default status
unaffected

Any version before 6.9.13-51
affected

6.9.13-51 (semver)
unaffected

Credits

rexpository reporter

References

github.com/...Magick/security/advisories/GHSA-qh5g-q395-cx4j (GitHub Security Advisory (GHSA-qh5g-q395-cx4j)) vendor-advisory

www.vulncheck.com/...k-before-26-heap-use-after-free-via-xmp (VulnCheck Advisory: ImageMagick before 7.1.2-26 Heap Use-After-Free via XMP) third-party-advisory

cve.org (CVE-2026-61857)

nvd.nist.gov (CVE-2026-61857)

Download JSON