CVE-2026-56369 PUBLISHED

ImageMagick - Information Disclosure via AES-CTR Nonce Reuse in PasskeyEncipherImage

Assigner: VulnCheck
Reserved: 21.06.2026 Published: 30.06.2026 Updated: 01.07.2026

ImageMagick before 7.1.2-22 contains an information disclosure vulnerability in the PasskeyEncipherImage method due to AES-CTR nonce reuse. Attackers can exploit nonce reuse in the cipher implementation to recover plaintext information from encrypted images.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
CVSS Score: 6.3

Product Status

Vendor ImageMagick
Product ImageMagick
Versions Default: unaffected
  • affected from 0 to 7.1.2-22 (excl.)
  • Version 7.1.2-22 is unaffected
Vendor ImageMagick
Product ImageMagick
Versions Default: unaffected
  • affected from 0 to 6.9.13-47 (excl.)
  • Version 6.9.13-47 is unaffected

Credits

  • 007bsd reporter
  • LuiginoC reporter

References

Problem Types

  • Reusing a Nonce, Key Pair in Encryption CWE