CVE-2026-61868 in ImageMagick
Summary
by MITRE • 07/15/2026
ImageMagick before 7.1.2-26 and 6.9.x before 6.9.13-51 contains a memory leak in the YUV decoder that occurs when opening of the blob fails. Repeated triggering can lead to resource exhaustion (denial of service).
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 07/15/2026
This vulnerability exists within ImageMagick's YUV decoder implementation and represents a classic memory management flaw that can be exploited for denial of service attacks. The issue occurs specifically when the blob opening process fails, leaving memory allocated without proper cleanup, creating a gradual accumulation of unused memory resources over time. This type of vulnerability falls under the CWE-401 category for insufficient resource deallocation, which is a well-documented weakness in software systems that handle multimedia file processing.
The technical execution of this vulnerability requires an attacker to craft malicious YUV formatted files or manipulate existing files in such a way that triggers the blob opening failure path within ImageMagick's image processing pipeline. When the decoder encounters malformed data during the blob opening phase, it fails to properly release previously allocated memory segments, resulting in a memory leak that compounds with each attempted file processing operation. The vulnerability affects both major branches of ImageMagick, specifically versions prior to 7.1.2-26 and 6.9.x versions before 6.9.13-51, indicating this was a widespread issue across the software's long-term support releases.
From an operational perspective, this vulnerability presents significant risk in environments where ImageMagick is used for automated image processing, web applications handling user uploads, or systems that process large volumes of media files. The memory leak can occur silently over time, with each failed blob operation incrementally consuming system resources until the target system becomes unresponsive or crashes entirely. Attackers can leverage this by repeatedly submitting malicious YUV files to a vulnerable service, causing progressive resource exhaustion that ultimately leads to denial of service conditions affecting legitimate users and operations.
The mitigation strategy involves immediate patching to versions 7.1.2-26 or later for the 7.x branch and 6.9.13-51 or later for the 6.x branch, which contain fixes for proper memory cleanup during blob opening failures. Organizations should also implement input validation and sanitization measures at network boundaries to prevent potentially malicious files from reaching the ImageMagick processing components. Additionally, system administrators should monitor resource usage patterns and implement automated alerts when memory consumption exceeds normal operational thresholds. This vulnerability aligns with ATT&CK technique T1499.004 for network denial of service and demonstrates how seemingly minor memory management issues can create significant security implications in widely deployed software libraries that handle multimedia content processing tasks across numerous applications and platforms.