<Vulnerability name="CVE-2026-56361">
    <DocumentDistribution xml:lang="en">Copyright © 2012 Red Hat, Inc. All rights reserved.</DocumentDistribution>
    <ThreatSeverity>Low</ThreatSeverity>
    <PublicDate>2026-06-30T22:08:36</PublicDate>
    <Bugzilla id="2495418" url="https://bugzilla.redhat.com/show_bug.cgi?id=2495418" xml:lang="en:us">
ImageMagick: ImageMagick: Heap buffer overflow via incorrect morphology parameters
    </Bugzilla>
    <CVSS3 status="draft">
        <CVSS3BaseScore>3.3</CVSS3BaseScore>
        <CVSS3ScoringVector>CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L</CVSS3ScoringVector>
    </CVSS3>
    <CWE>CWE-125</CWE>
    <Details xml:lang="en:us" source="Mitre">
ImageMagick before 7.1.2-19 contains an off-by-one error in morphology validation allowing out-of-bounds heap buffer reads. Attackers can trigger heap buffer overflow by providing incorrect morphology parameters causing single pixel memory access violations.
    </Details>
    <Details xml:lang="en:us" source="Red Hat">
A flaw was found in ImageMagick. An attacker can exploit an off-by-one error in the morphology validation by providing incorrect morphology parameters. This can lead to out-of-bounds heap buffer reads and heap buffer overflow, potentially causing memory access violations.
    </Details>
    <Statement xml:lang="en:us">
This flaw in ImageMagick is rated as Low impact. An attacker can trigger a memory access violation by submitting a maliciously crafted image.

Red Hat has rated this low as there is no impact to the confidentiality of the data and availability is low as denial-of-service is strictly localized to the process handling that specific file.
    </Statement>
    <Mitigation xml:lang="en:us">
To reduce exposure, avoid processing untrusted image files with ImageMagick, particularly those that may contain malformed morphology parameters. If processing untrusted content is necessary, consider implementing sandboxing mechanisms to isolate ImageMagick operations and limit the potential blast radius of any successful exploitation.
    </Mitigation>
    <PackageState cpe="cpe:/o:redhat:enterprise_linux:6">
        <ProductName>Red Hat Enterprise Linux 6</ProductName>
        <FixState>Out of support scope</FixState>
        <PackageName>ImageMagick</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/o:redhat:enterprise_linux:7">
        <ProductName>Red Hat Enterprise Linux 7</ProductName>
        <FixState>Out of support scope</FixState>
        <PackageName>ImageMagick</PackageName>
    </PackageState>
    <References xml:lang="en:us">
https://www.cve.org/CVERecord?id=CVE-2026-56361
https://nvd.nist.gov/vuln/detail/CVE-2026-56361
https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-q8h3-jv9v-57qx
https://www.vulncheck.com/advisories/imagemagick-heap-buffer-overflow-via-off-by-one-in-morphology-processing
    </References>
</Vulnerability>