<Vulnerability name="CVE-2026-61867">
    <DocumentDistribution xml:lang="en">Copyright © 2012 Red Hat, Inc. All rights reserved.</DocumentDistribution>
    <ThreatSeverity>Low</ThreatSeverity>
    <PublicDate>2026-07-15T11:25:52</PublicDate>
    <Bugzilla id="2500913" url="https://bugzilla.redhat.com/show_bug.cgi?id=2500913" xml:lang="en:us">
ImageMagick: ImageMagick: Denial of Service due to memory leak in TIFF encoder
    </Bugzilla>
    <CVSS3 status="draft">
        <CVSS3BaseScore>2.9</CVSS3BaseScore>
        <CVSS3ScoringVector>CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L</CVSS3ScoringVector>
    </CVSS3>
    <CWE>CWE-772</CWE>
    <Details xml:lang="en:us" source="Mitre">
ImageMagick before 7.1.2-26 contains a memory leak vulnerability in the TIFF encoder when memory allocation fails. Attackers can trigger allocation failures during TIFF image processing to cause memory exhaustion and denial of service.
    </Details>
    <Details xml:lang="en:us" source="Red Hat">
A flaw was found in ImageMagick. A remote attacker could exploit a memory leak vulnerability within the TIFF encoder. By processing specially crafted TIFF images, an attacker can trigger memory allocation failures, leading to memory exhaustion. This can result in a denial of service (DoS), making the affected system or application unavailable.
    </Details>
    <Statement xml:lang="en:us">
Red Hat Enterprise Linux ships ImageMagick in RHEL 6 ELS and RHEL 7 ELS. This flaw has been rated as having a Low security impact and is not currently planned to be addressed in future updates of those products. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.
    </Statement>
    <Mitigation xml:lang="en:us">
Do not process untrusted image files with ImageMagick. If processing of untrusted input is required, configure ImageMagick's policy.xml to set memory and map resource limits to contain the impact of potential memory leaks. Upgrade to ImageMagick 7.1.2-26 or 6.9.13-51 mitigates the issue.
    </Mitigation>
    <PackageState impact="low" cpe="cpe:/o:redhat:enterprise_linux:6">
        <ProductName>Red Hat Enterprise Linux 6</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>ImageMagick</PackageName>
    </PackageState>
    <PackageState impact="low" cpe="cpe:/o:redhat:enterprise_linux:7">
        <ProductName>Red Hat Enterprise Linux 7</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>ImageMagick</PackageName>
    </PackageState>
    <References xml:lang="en:us">
https://www.cve.org/CVERecord?id=CVE-2026-61867
https://nvd.nist.gov/vuln/detail/CVE-2026-61867
https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-jfq9-q63x-rc63
https://www.vulncheck.com/advisories/imagemagick-before-26-memory-leak-in-tiff-encoder-2
    </References>
</Vulnerability>