<Vulnerability name="CVE-2026-61872">
    <DocumentDistribution xml:lang="en">Copyright © 2012 Red Hat, Inc. All rights reserved.</DocumentDistribution>
    <ThreatSeverity>Low</ThreatSeverity>
    <PublicDate>2026-07-15T11:25:55</PublicDate>
    <Bugzilla id="2500907" url="https://bugzilla.redhat.com/show_bug.cgi?id=2500907" xml:lang="en:us">
ImageMagick: ImageMagick: Denial of Service due to memory leak in TIFF encoder
    </Bugzilla>
    <CVSS3 status="draft">
        <CVSS3BaseScore>2.5</CVSS3BaseScore>
        <CVSS3ScoringVector>CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L</CVSS3ScoringVector>
    </CVSS3>
    <CWE>CWE-772</CWE>
    <Details xml:lang="en:us" source="Mitre">
ImageMagick before 7.1.2-26 and 6.9.13-51 contains a memory leak in the TIFF encoder when an invalid tiff:tile-geometry is specified. Supplying malformed tile geometry parameters causes allocated memory not to be released, which can lead to increased memory consumption.
    </Details>
    <Details xml:lang="en:us" source="Red Hat">
A flaw was found in ImageMagick. A local user can exploit this vulnerability by supplying malformed tile geometry parameters to the TIFF encoder. This can cause a memory leak, preventing allocated memory from being released. The primary consequence is increased memory consumption, which may lead to a Denial of Service (DoS) condition.
    </Details>
    <Statement xml:lang="en:us">
Red Hat Enterprise Linux ships ImageMagick in RHEL 6 ELS and RHEL 7 ELS. This flaw has been rated as having a Low security impact and is not currently planned to be addressed in future updates of those products. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.
    </Statement>
    <Mitigation xml:lang="en:us">
Do not process untrusted image files with ImageMagick. If processing of untrusted input is required, configure ImageMagick's policy.xml to set memory and map resource limits to contain the impact of potential memory leaks. Upgrade to ImageMagick 7.1.2-26 or 6.9.13-51 mitigates the issue.
    </Mitigation>
    <PackageState impact="low" cpe="cpe:/o:redhat:enterprise_linux:6">
        <ProductName>Red Hat Enterprise Linux 6</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>ImageMagick</PackageName>
    </PackageState>
    <PackageState impact="low" cpe="cpe:/o:redhat:enterprise_linux:7">
        <ProductName>Red Hat Enterprise Linux 7</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>ImageMagick</PackageName>
    </PackageState>
    <References xml:lang="en:us">
https://www.cve.org/CVERecord?id=CVE-2026-61872
https://nvd.nist.gov/vuln/detail/CVE-2026-61872
https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-h5r4-w88w-7ccr
https://www.vulncheck.com/advisories/imagemagick-before-26-memory-leak-via-tiff-encoder
    </References>
</Vulnerability>