<Vulnerability name="CVE-2026-61864">
    <DocumentDistribution xml:lang="en">Copyright © 2012 Red Hat, Inc. All rights reserved.</DocumentDistribution>
    <ThreatSeverity>Low</ThreatSeverity>
    <PublicDate>2026-07-15T11:25:50</PublicDate>
    <Bugzilla id="2500904" url="https://bugzilla.redhat.com/show_bug.cgi?id=2500904" xml:lang="en:us">
ImageMagick: ImageMagick: Memory leak in color transformation to log colorspace
    </Bugzilla>
    <CVSS3 status="draft">
        <CVSS3BaseScore>2.9</CVSS3BaseScore>
        <CVSS3ScoringVector>CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L</CVSS3ScoringVector>
    </CVSS3>
    <CWE>CWE-772</CWE>
    <Details xml:lang="en:us" source="Mitre">
ImageMagick before 7.1.2-26 and 6.9.13-51 contains a memory leak in color transformation to the log colorspace: when the operation fails, a small amount of memory is not released.
    </Details>
    <Details xml:lang="en:us" source="Red Hat">
A flaw was found in ImageMagick. When processing image transformations to the log colorspace, a memory leak can occur if the operation fails. This vulnerability, which can be triggered by a local attacker without requiring special privileges or user interaction, may lead to a denial of service due to unreleased memory.
    </Details>
    <Statement xml:lang="en:us">
Red Hat Enterprise Linux ships ImageMagick in RHEL 6 ELS and RHEL 7 ELS. This flaw has been rated as having a Low security impact and is not currently planned to be addressed in future updates of those products. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.
    </Statement>
    <Mitigation xml:lang="en:us">
Do not process untrusted image files with ImageMagick. If processing of untrusted input is required, configure ImageMagick's policy.xml to set memory and map resource limits to contain the impact of potential memory leaks. Upgrade to ImageMagick 7.1.2-26 or 6.9.13-51 mitigates the issue.
    </Mitigation>
    <PackageState impact="low" cpe="cpe:/o:redhat:enterprise_linux:6">
        <ProductName>Red Hat Enterprise Linux 6</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>ImageMagick</PackageName>
    </PackageState>
    <PackageState impact="low" cpe="cpe:/o:redhat:enterprise_linux:7">
        <ProductName>Red Hat Enterprise Linux 7</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>ImageMagick</PackageName>
    </PackageState>
    <References xml:lang="en:us">
https://www.cve.org/CVERecord?id=CVE-2026-61864
https://nvd.nist.gov/vuln/detail/CVE-2026-61864
https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-7c7m-fpjw-gwcq
https://www.vulncheck.com/advisories/imagemagick-before-26-memory-leak-in-log-colorspace
    </References>
</Vulnerability>