<Vulnerability name="CVE-2026-56364">
    <DocumentDistribution xml:lang="en">Copyright © 2012 Red Hat, Inc. All rights reserved.</DocumentDistribution>
    <ThreatSeverity>Low</ThreatSeverity>
    <PublicDate>2026-06-30T22:08:37</PublicDate>
    <Bugzilla id="2495437" url="https://bugzilla.redhat.com/show_bug.cgi?id=2495437" xml:lang="en:us">
Magick.NET-Q8-x64: Magick.NET-Q8-arm64: Magick.NET-Q8-x86: Magick.NET-Q8-OpenMP-x64: Magick.NET-Q8-OpenMP-arm64: Magick.NET-Q16-x64: Magick.NET-Q16-arm64: Magick.NET-Q16-x86: Magick.NET-Q16-OpenMP-x64: Magick.NET-Q16-OpenMP-arm64: Magick.NET-Q16-OpenMP-x86: Magick.NET-Q16-HDRI-x64: Magick.NET-Q16-HDRI-arm64: Magick.NET-Q16-HDRI-x86: Magick.NET-Q16-HDRI-OpenMP-x64: Magick.NET-Q16-HDRI-OpenMP-arm64: Magick.NET-Q8-AnyCPU: Magick.NET-Q16-AnyCPU: Magick.NET-Q16-HDRI-AnyCPU: ImageMagick: Denial of Service via memory leak in OpenCL device profile XML parsing
    </Bugzilla>
    <CVSS3 status="draft">
        <CVSS3BaseScore>1.9</CVSS3BaseScore>
        <CVSS3ScoringVector>CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L</CVSS3ScoringVector>
    </CVSS3>
    <CWE>CWE-401</CWE>
    <Details xml:lang="en:us" source="Mitre">
ImageMagick before 7.1.2-13 contains a memory leak vulnerability in LoadOpenCLDeviceBenchmark() function when parsing malformed OpenCL device profile XML files with unclosed device elements. Attackers with write access to the OpenCL cache directory can place malicious XML files to exhaust memory and cause denial of service.
    </Details>
    <Details xml:lang="en:us" source="Red Hat">
A Denial of Service (DoS) vulnerability exists in ImageMagick. An attacker with write access to the OpenCL cache directory can exhaust system memory and crash the application by placing a maliciously crafted file.
    </Details>
    <Statement xml:lang="en:us">
This vulnerability in ImageMagick is of Low impact. It requires an attacker to have local write access to the OpenCL cache directory and for OpenCL to be enabled. Under these conditions, a specially crafted XML file can cause a memory leak, leading to resource exhaustion and a denial of service over extended periods.
    </Statement>
    <Mitigation xml:lang="en:us">
To mitigate this, restrict write access to the OpenCL cache directory to prevent unauthorized or malformed files from being introduced. Additionally, configure process-level memory limits (using mechanisms like ulimit, cgroups, or systemd directives) for ImageMagick to contain potential memory exhaustion and safeguard overall system stability.
    </Mitigation>
    <PackageState cpe="cpe:/o:redhat:enterprise_linux:6">
        <ProductName>Red Hat Enterprise Linux 6</ProductName>
        <FixState>Under investigation</FixState>
        <PackageName>ImageMagick</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/o:redhat:enterprise_linux:7">
        <ProductName>Red Hat Enterprise Linux 7</ProductName>
        <FixState>Under investigation</FixState>
        <PackageName>ImageMagick</PackageName>
    </PackageState>
    <References xml:lang="en:us">
https://www.cve.org/CVERecord?id=CVE-2026-56364
https://nvd.nist.gov/vuln/detail/CVE-2026-56364
https://github.com/ImageMagick/ImageMagick/commit/a52c1b402be08ef8ae193f28ac5b2e120f2fa26f
https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-qp59-x883-77qv
https://www.vulncheck.com/advisories/imagemagick-memory-leak-in-loadopencldevicebenchmark-via-malformed-xml
    </References>
</Vulnerability>