CVE-2026-56366

NameCVE-2026-56366
DescriptionImageMagick before 7.1.2-18 contains a memory leak vulnerability in the META reader when processing APP1JPEG input paths. Attackers can trigger this memory leak by providing specially crafted APP1JPEG image files, causing denial of service through resource exhaustion.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
imagemagick (PTS)bullseye8:6.9.11.60+dfsg-1.3+deb11u4vulnerable
bullseye (security)8:6.9.11.60+dfsg-1.3+deb11u14vulnerable
bookworm8:6.9.11.60+dfsg-1.6+deb12u9vulnerable
bookworm (security)8:6.9.11.60+dfsg-1.6+deb12u11vulnerable
trixie8:7.1.1.43+dfsg1-1+deb13u8vulnerable
trixie (security)8:7.1.1.43+dfsg1-1+deb13u11vulnerable
forky, sid8:7.1.2.27+dfsg1-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
imagemagicksource(unstable)8:7.1.2.18+dfsg1-1

Notes

https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-9r56-3gjq-hqf7
Fixed by: https://github.com/ImageMagick/ImageMagick/commit/bee248ee853a686a969fae9cfb1e02dd5aae245b (7.1.2-18)
Fixed by: https://github.com/ImageMagick/ImageMagick6/commit/1adc49fac3041620abe11fcb06524d33d9dbd035 (6.9.13-43)

Search for package or bug name: Reporting problems