PatchSiren cyber security CVE debrief
CVE-2026-61465 ImageMagick CVE debrief
ImageMagick before 7.1.2-26 and 6.9.13-51 is missing a check for the allowed memory allocation limit in matrix-backed operations such as -canny. An attacker can supply a crafted image that causes ImageMagick to allocate more memory than permitted by the configured policy, resulting in a denial of service. This vulnerability has a CVSS score of 4.8 and a severity of MEDIUM. The vulnerability was publicly disclosed on 2026-07-11.
- Vendor
- ImageMagick
- Product
- Unknown
- CVSS
- MEDIUM 4.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-11
- Original CVE updated
- 2026-07-11
- Advisory published
- 2026-07-11
- Advisory updated
- 2026-07-11
Who should care
Users of ImageMagick before 7.1.2-26 and 6.9.13-51 should be aware of this vulnerability and take steps to mitigate it. This includes reviewing and applying vendor-supported updates or mitigations, implementing compensating controls, and monitoring systems for unusual memory allocation patterns.
Technical summary
The vulnerability exists in ImageMagick's handling of matrix-backed operations such as -canny. The software fails to check the allowed memory allocation limit, allowing an attacker to supply a crafted image that causes excessive memory allocation, leading to a denial of service. This issue affects ImageMagick versions before 7.1.2-26 and 6.9.13-51. Users of ImageMagick should verify their deployments and review the official advisory for affected scope and severity. The CVE record was published on 2026-07-11T14:16:23.767Z and has not been modified since then. The NVD entry is currently 4.8 MEDIUM. This information is based on the NVD entry and the CVE record.
Defensive priority
Medium
Recommended defensive actions
- Update ImageMagick to version 7.1.2-26 or later, or 6.9.13-51 or later
- Implement compensating controls to limit the impact of a potential denial of service
- Monitor systems for unusual memory allocation patterns
- Review the official advisory or CVE record to validate affected scope, severity, and vendor guidance
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
Evidence notes
The CVE record was published on 2026-07-11T14:16:23.767Z and has not been modified since then. The NVD entry is currently 4.8 MEDIUM. This information is based on the NVD entry and the CVE record. The vulnerability affects ImageMagick before 7.1.2-26 and 6.9.13-51. Users should verify their deployments and review the official advisory for affected scope and severity.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-11T14:16:23.767Z and has not been modified since then.