CVE-2026-61857

NameCVE-2026-61857
DescriptionImageMagick before 7.1.2-26 contains a heap use-after-free vulnerability caused by missing null check when parsing XMP profiles. Attackers can craft malicious image files with specially crafted XMP data to trigger the vulnerability and cause application crashes.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
imagemagick (PTS)bullseye8:6.9.11.60+dfsg-1.3+deb11u4vulnerable
bullseye (security)8:6.9.11.60+dfsg-1.3+deb11u14vulnerable
bookworm, bookworm (security)8:6.9.11.60+dfsg-1.6+deb12u11vulnerable
trixie8:7.1.1.43+dfsg1-1+deb13u10vulnerable
trixie (security)8:7.1.1.43+dfsg1-1+deb13u11vulnerable
forky, sid8:7.1.2.27+dfsg1-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
imagemagicksource(unstable)8:7.1.2.26+dfsg1-1

Notes

https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-qh5g-q395-cx4j
Fixed by: https://github.com/ImageMagick/ImageMagick/commit/150c9852402ac1aa1f223e5bf5109e3a2022ebbc (7.1.2-26)
Fixed by: https://github.com/ImageMagick/ImageMagick6/commit/e1d94d92d985f8c0bb648ddbcd70ba3362a84674 (6.9.13-51)

Search for package or bug name: Reporting problems