CVE-2026-61870

NameCVE-2026-61870
DescriptionImageMagick before 7.1.2-26 contains a memory leak vulnerability in the VIFF encoder when memory allocation fails. Attackers can trigger allocation failures by processing specially crafted VIFF images to exhaust available memory and cause denial of service.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
imagemagick (PTS)bullseye8:6.9.11.60+dfsg-1.3+deb11u4vulnerable
bullseye (security)8:6.9.11.60+dfsg-1.3+deb11u14vulnerable
bookworm, bookworm (security)8:6.9.11.60+dfsg-1.6+deb12u11vulnerable
trixie8:7.1.1.43+dfsg1-1+deb13u10vulnerable
trixie (security)8:7.1.1.43+dfsg1-1+deb13u11vulnerable
forky, sid8:7.1.2.27+dfsg1-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
imagemagicksource(unstable)8:7.1.2.26+dfsg1-1

Notes

https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-m596-67p7-69wh
Fixed by: https://github.com/ImageMagick/ImageMagick/commit/fdbf39ba9a681e53e6025d40501ae5a2bfec3000 (7.1.2-26)
Fixed by: https://github.com/ImageMagick/ImageMagick6/commit/3c574f9ba5387f5f11669fdb4d4e8febc199dca3 (6.9.13-51)

Search for package or bug name: Reporting problems