CVE-2026-56361 Overview
CVE-2026-56361 affects ImageMagick versions prior to 7.1.2-19. The vulnerability is an off-by-one error in the morphology validation logic that permits an out-of-bounds heap read [CWE-125]. Attackers supply crafted morphology parameters that cause the library to read a single pixel beyond an allocated heap buffer. The flaw triggers a heap buffer over-read during image processing operations that invoke the morphology routines. Exploitation requires local access and user interaction, limiting large-scale abuse. The issue is tracked under vendor advisory GHSA-q8h3-jv9v-57qx.
Critical Impact
Local attackers can induce a heap buffer over-read in ImageMagick's morphology processing, potentially leaking adjacent heap memory or crashing the host process.
Affected Products
- ImageMagick versions prior to 7.1.2-19
- Applications and services embedding vulnerable ImageMagick libraries
- Linux and Unix distributions shipping affected ImageMagick packages
Discovery Timeline
- 2026-06-30 - CVE-2026-56361 published to NVD
- 2026-07-02 - Last updated in NVD database
Technical Details for CVE-2026-56361
Vulnerability Analysis
The vulnerability resides in ImageMagick's morphology processing code path. Morphology operations apply structured element kernels such as dilate, erode, or convolve to image pixels. The validation routine that bounds-checks kernel parameters contains an off-by-one arithmetic error. This error allows processing to advance one pixel past the end of an allocated heap buffer. The result is a single-pixel out-of-bounds read during kernel iteration.
The defect is classified under [CWE-125] Out-of-Bounds Read. Attackers who influence morphology parameters, either through crafted image files or command-line arguments, can trigger the flaw. The read exposes adjacent heap contents to the processing pipeline, which may include image data, allocator metadata, or unrelated process memory. Repeated exploitation can also destabilize the process and produce denial-of-service conditions.
Root Cause
The root cause is an incorrect boundary comparison in morphology parameter validation. A loop or index calculation uses <= where < is required, or applies a length that is one greater than the allocated element count. When morphology parameters are set to values at the buffer boundary, the code accesses index n on an n-sized buffer. The single-pixel over-read escapes standard bounds checks because the validation logic itself contains the error.
Attack Vector
The attack requires local access and passive user interaction, such as opening or converting a specially crafted image. An attacker delivers a file that triggers a morphology operation with parameters chosen to reach the boundary condition. Processing pipelines that invoke ImageMagick on untrusted uploads, including thumbnail generators and document conversion services, expand the exposure surface. No authentication or elevated privileges are required on the target system. The vulnerability does not enable direct code execution but can facilitate information disclosure and crash conditions.
No public proof-of-concept exploit is available at the time of publication. Technical details are documented in the GitHub Security Advisory GHSA-q8h3-jv9v-57qx and the VulnCheck Advisory on ImageMagick.
Detection Methods for CVE-2026-56361
Indicators of Compromise
- Unexpected crashes or SIGSEGV signals from convert, magick, or mogrify processes during morphology operations
- Anomalous image files containing unusual morphology kernel definitions or oversized structuring elements
- AddressSanitizer or Valgrind reports flagging heap-buffer-overflow reads inside MorphologyApply or related functions
Detection Strategies
- Enumerate installed ImageMagick versions across hosts and containers, flagging any release earlier than 7.1.2-19
- Inspect application logs from image processing services for repeated worker crashes or restart loops tied to morphology calls
- Instrument staging builds with AddressSanitizer to surface out-of-bounds reads during regression testing of image workflows
Monitoring Recommendations
- Alert on abnormal termination of ImageMagick-based worker processes handling user-uploaded content
- Monitor egress from image processing sandboxes for unexpected data patterns that may indicate memory leakage
- Track package inventory changes to confirm patched ImageMagick versions are deployed on all image-handling systems
How to Mitigate CVE-2026-56361
Immediate Actions Required
- Upgrade ImageMagick to version 7.1.2-19 or later on all affected systems
- Restrict ImageMagick invocation to trusted image sources until patches are applied
- Run image conversion workloads in isolated, non-privileged sandboxes with resource limits
Patch Information
The fix is included in ImageMagick 7.1.2-19 and tracked under advisory GHSA-q8h3-jv9v-57qx. Administrators should apply distribution updates from their operating system vendor or rebuild from upstream sources. Confirm patched versions using magick -version after deployment. Refer to the GitHub Security Advisory for commit-level details.
Workarounds
- Disable morphology operations in application code paths that process untrusted images until upgrades complete
- Enforce strict input validation on user-supplied image formats and reject files with malformed metadata
- Apply an ImageMagick policy.xml configuration to restrict coders and resource limits, reducing the attack surface exposed to untrusted content
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

