CVE-2026-61857 PUBLISHED

ImageMagick before 7.1.2-26 Heap Use-After-Free via XMP

Assigner: VulnCheck
Reserved: 10.07.2026 Published: 11.07.2026 Updated: 11.07.2026

ImageMagick before 7.1.2-26 contains a heap use-after-free vulnerability caused by missing null check when parsing XMP profiles. Attackers can craft malicious image files with specially crafted XMP data to trigger the vulnerability and cause application crashes.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
CVSS Score: 6.3

Product Status

Vendor ImageMagick
Product ImageMagick
Versions Default: unaffected
  • affected from 0 to 7.1.2-26 (excl.)
  • Version 7.1.2-26 is unaffected
Vendor ImageMagick
Product ImageMagick
Versions Default: unaffected
  • affected from 0 to 6.9.13-51 (excl.)
  • Version 6.9.13-51 is unaffected

Credits

  • rexpository reporter

References

Problem Types

  • Unchecked Return Value CWE