CVE-2026-56376 | ImageMagick before 7.1.2-15 and 6.9.13-40 contains a heap us… | CVSS 3.7 LOW

Description

ImageMagick before 7.1.2-15 and 6.9.13-40 contains a heap use-after-free in the meta coder: when memory allocation fails, a single byte is written to a stale pointer. Remote attackers can trigger it by processing specially crafted image files, causing a denial of service.

Metadata

CVE ID: CVE-2026-56376
State: PUBLISHED
Assigner: VulnCheck
Reserved: 2026-06-21 02:05 UTC
Published: 2026-06-23 12:13 UTC
Last updated: 2026-06-23 13:06 UTC
Primary CWE: CWE-416
Use After Free
Vendor / Product: ImageMagick / ImageMagick
Sources: cve.org · NVD

Severity & Metrics

3.7 LOW CVSS 3.1

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

SSVC — CISA Coordinator

Exploitation: none
Automatable: no
Tech. Impact: partial

Affected products (2)

Vendor	Product	Platform	Versions
ImageMagick	ImageMagick	—	0 < 7.1.2-15, 7.1.2-15
ImageMagick	ImageMagick	—	0 < 6.9.13-40, 6.9.13-40

Weakness (CWE)

CWE	Source	Description
CWE-416	cna	Use After Free

CVSS scores (2)

Score	Severity	Version	Source	Vector
6.3	MEDIUM	4.0	cna	CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
3.7	LOW	3.1	cna	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

References (2)

GitHub Security Advisory (GHSA-2gq3-ww97-wfjm) https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-2gq3-ww97-wfjm
VulnCheck Advisory: ImageMagick - Heap Use-After-Free in Meta Coder https://www.vulncheck.com/advisories/imagemagick-heap-use-after-free-in-meta-coder