CVE Catalog

CVE-2026-56364

LowCVSS 1.9
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.12%

2th percentile — higher than 2% of all known CVEs

Summary

A memory leak vulnerability in ImageMagick before version 7.1.2-13 exists in the LoadOpenCLDeviceBenchmark() function when parsing malformed OpenCL device profile XML files with unclosed device elements. Attackers with write access to the OpenCL cache directory can place malicious XML files to exhaust memory and cause denial of service.

Risk Assessment

The risk is a potential denial-of-service attack through memory exhaustion, which can disrupt applications using ImageMagick for image processing. The attack requires write access to the OpenCL cache directory, limiting the attack vector, but it may be a real threat in shared environments.

Recommendation

Immediately update ImageMagick to version 7.1.2-13 or later. Additionally, restrict write permissions to the OpenCL cache directory to trusted users only.

Original NVD description (English source)

ImageMagick before 7.1.2-13 contains a memory leak vulnerability in LoadOpenCLDeviceBenchmark() function when parsing malformed OpenCL device profile XML files with unclosed device elements. Attackers with write access to the OpenCL cache directory can place malicious XML files to exhaust memory and cause denial of service.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS