DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-53462: CVE-2026-53462: Heap Use-After-Free Vulnerability in ImageMagick Vector Drawing Subsystem

#security #cve #cybersecurity

CVE-2026-53462: Heap Use-After-Free Vulnerability in ImageMagick Vector Drawing Subsystem

Vulnerability ID: CVE-2026-53462
CVSS Score: 5.9
Published: 2026-06-26

CVE-2026-53462 is a heap Use-After-Free (UAF) vulnerability in ImageMagick's vector drawing subsystem, specifically within the coordinate allocation mechanism in CheckPrimitiveExtent. By parsing a crafted vector image (such as SVG or MVG) with extremely complex primitives, an attacker can trigger a memory reallocation failure. If the application fails to handle this allocation failure cleanly, it leaves a dangling pointer that can subsequently be accessed or freed again, causing memory corruption or an application crash.

TL;DR

A heap Use-After-Free vulnerability in ImageMagick's drawing engine can be triggered via crafted vector images, potentially leading to denial of service or remote code execution.

Technical Details

  • CWE ID: CWE-416 (Use After Free)
  • Attack Vector: Network (AV:N)
  • CVSS v3.1 Score: 5.9 (Medium)
  • EPSS Score: 0.00227 (Percentile: 13.34%)
  • Impact: Availability (High)
  • Exploit Status: None (No public exploits or weaponized payloads)
  • KEV Status: Not Listed

Affected Systems

  • ImageMagick 6.x installations prior to version 6.9.13-50
  • ImageMagick 7.x installations prior to version 7.1.2-25
  • ImageMagick: < 6.9.13-50 (Fixed in: 6.9.13-50)
  • ImageMagick: >= 7.0.0-0, < 7.1.2-25 (Fixed in: 7.1.2-25)

Mitigation Strategies

  • Upgrade to ImageMagick 6.9.13-50 (legacy branch) or 7.1.2-25 (modern branch) or newer.
  • Disable parsing of vulnerable vector formats (SVG, MVG, PDF, EPS, PS) via policy.xml configuration.
  • Enforce strict memory limits inside ImageMagick's policy.xml to mitigate memory allocation manipulation.

Remediation Steps:

  1. Identify vulnerable ImageMagick deployments using local container scanning, host package managers, or software composition analysis.
  2. Deploy security updates or compile from patched sources for both 6.x and 7.x code paths.
  3. Configure ImageMagick policy.xml file to restrict vector file processing capabilities if updates cannot be immediately applied.

References

Read the full report for CVE-2026-53462 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)