CVE-2026-61871
Received Received - Intake

Memory Leak in ImageMagick ICON Decoder

Vulnerability report for CVE-2026-61871, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-15

Last updated on: 2026-07-15

Assigner: VulnCheck

Description

ImageMagick before 7.1.2-26 and 6.9.13-51 contains a memory leak in the ICON decoder that occurs when a memory allocation fails. Processing a crafted ICON file that triggers an allocation failure leaks memory, which may lead to a denial of service.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-15
Last Modified
2026-07-15
Generated
2026-07-15
AI Q&A
2026-07-15
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
imagemagick imagemagick to 7.1.2-26 (exc)
imagemagick imagemagick to 6.9.13-51 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-401 The product does not sufficiently track and release allocated memory after it has been used, making the memory unavailable for reallocation and reuse.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Detection Guidance

Detecting this vulnerability requires checking the installed version of ImageMagick. Use the command 'convert --version' or 'magick --version' to verify if your version is below 7.1.2-26 or 6.9.13-51. If so, the system is vulnerable.

Mitigation Strategies

Immediately update ImageMagick to version 7.1.2-26 or later for the 7.x branch, or 6.9.13-51 or later for the 6.x branch. Avoid processing untrusted ICON files until the update is applied.

Executive Summary

This vulnerability is a memory leak in ImageMagick's ICON decoder. When processing a specially crafted ICON file that causes a memory allocation failure, the software fails to release memory properly. This leads to gradual memory consumption, potentially causing a denial of service by exhausting system resources.

Impact Analysis

The primary impact is system slowdown or crashes due to memory exhaustion. If exploited repeatedly, it could degrade performance or make services unavailable. However, it requires processing a malicious ICON file, so typical users are unlikely to encounter it accidentally.

Compliance Impact

This vulnerability primarily affects system availability. While not directly violating GDPR or HIPAA, repeated denial of service could impact data processing operations. Organizations should patch to maintain service reliability and compliance with availability requirements.

Detection Guidance

To detect this vulnerability, monitor for ImageMagick processes handling ICON files that may cause memory leaks. Check for unusually high memory usage when processing image files. Use tools like 'ps' or 'top' to observe ImageMagick processes. Examine system logs for allocation failures or crashes related to ImageMagick.

Mitigation Strategies

Immediately upgrade ImageMagick to version 7.1.2-26 or later for the 7.x branch, or 6.9.13-51 or later for the 6.x branch. If upgrading is not possible, restrict access to ImageMagick or disable ICON file processing until patched. Monitor memory usage and system performance for signs of resource exhaustion.

Executive Summary

This vulnerability is a memory leak in ImageMagick's ICON decoder. When processing a specially crafted ICON file that causes a memory allocation failure, the software fails to release memory properly. This leads to gradual memory consumption, which can eventually exhaust system resources and cause a denial of service.

Impact Analysis

The main impact is system instability due to memory exhaustion. An attacker could send a malicious ICON file to trigger the leak, causing applications using ImageMagick to slow down or crash. This may disrupt services relying on image processing.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-61871. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart