Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-56364

CVE-2026-56364: ImageMagick Memory Leak DoS Vulnerability

CVE-2026-56364 is a memory leak denial of service flaw in ImageMagick affecting versions before 7.1.2-13. Attackers can exploit malformed OpenCL XML files to exhaust system memory. This article covers technical details, impact, and mitigations.

Published:

CVE-2026-56364 Overview

CVE-2026-56364 is a memory leak vulnerability in ImageMagick versions before 7.1.2-13. The flaw resides in the LoadOpenCLDeviceBenchmark() function, which parses OpenCL device profile XML files from the OpenCL cache directory. When the parser encounters malformed XML containing unclosed device elements, allocated memory is not released. Attackers with write access to the OpenCL cache directory can plant malicious XML files to exhaust process memory and trigger denial of service. The vulnerability is tracked under [CWE-401] (Missing Release of Memory after Effective Lifetime).

Critical Impact

A local attacker with write access to the OpenCL cache directory can exhaust memory and cause denial of service in applications relying on ImageMagick.

Affected Products

  • ImageMagick versions prior to 7.1.2-13
  • Applications embedding vulnerable ImageMagick libraries with OpenCL support enabled
  • Systems where the OpenCL cache directory is writable by untrusted users

Discovery Timeline

  • 2026-06-30 - CVE-2026-56364 published to NVD
  • 2026-07-02 - Last updated in NVD database

Technical Details for CVE-2026-56364

Vulnerability Analysis

The defect lives in LoadOpenCLDeviceBenchmark(), a routine that reads cached OpenCL device benchmark data serialized as XML. During parsing, the function allocates structures to track each <device> element it encounters. When a device element is left unclosed in the input XML, the parser fails to reach the cleanup path that frees the associated allocation. Each malformed element processed adds to the resident memory footprint of the host process. Repeated invocations against crafted XML compound the leak until the process is killed by the OOM manager or fails subsequent allocations.

Root Cause

The root cause is missing memory release on an error or early-exit branch inside LoadOpenCLDeviceBenchmark(). The XML parsing logic assumes well-formed input with matched opening and closing device tags. When the closing tag is absent, control flow bypasses the deallocation call that would normally free the device structure. This is a classic [CWE-401] pattern where cleanup responsibilities are not enforced on all exit paths.

Attack Vector

Exploitation requires local access with write privileges to the OpenCL cache directory used by ImageMagick. An attacker plants one or more malformed XML profile files containing unclosed <device> elements. When ImageMagick initializes OpenCL device benchmarking, it reads the poisoned cache and leaks memory for each malformed entry. The upstream fix is available in commit a52c1b402be08ef8ae193f28ac5b2e120f2fa26f. See the GitHub Security Advisory GHSA-qp59-x883-77qv and the VulnCheck Advisory for additional technical detail.

Detection Methods for CVE-2026-56364

Indicators of Compromise

  • Unexpected XML files in the ImageMagick OpenCL cache directory (commonly under $HOME/.config/ImageMagick/ or /tmp) containing unclosed <device> tags.
  • ImageMagick processes exhibiting steadily growing resident set size (RSS) during startup or benchmark initialization.
  • Repeated OOM kills of processes that invoke convert, magick, or library consumers of ImageMagick with OpenCL enabled.

Detection Strategies

  • Monitor file creation and modification events in the OpenCL cache directory and alert on writes from non-service accounts.
  • Validate the well-formedness of cached OpenCL XML profiles using an out-of-band XML linter as part of host integrity checks.
  • Track process memory growth for ImageMagick binaries and flag anomalous RSS increases correlated with cache file access.

Monitoring Recommendations

  • Enable file integrity monitoring on the ImageMagick configuration and cache directories.
  • Log ImageMagick invocations and capture the working directory and effective user context.
  • Correlate memory-exhaustion signals with recent modifications to OpenCL cache files to surface tampering.

How to Mitigate CVE-2026-56364

Immediate Actions Required

  • Upgrade ImageMagick to version 7.1.2-13 or later on all systems.
  • Audit the OpenCL cache directory permissions and remove write access for non-privileged users.
  • Delete any untrusted or unexpected XML files present in the OpenCL cache directory.

Patch Information

The fix is delivered in ImageMagick 7.1.2-13 via upstream commit a52c1b402be08ef8ae193f28ac5b2e120f2fa26f. The patch adds the missing deallocation on the error path when a device element is not properly closed. Details are documented in the GitHub Security Advisory GHSA-qp59-x883-77qv.

Workarounds

  • Disable OpenCL support in ImageMagick by setting the environment variable MAGICK_OCL_DEVICE=OFF for affected processes.
  • Restrict the OpenCL cache directory to mode 0700 owned by the service account that runs ImageMagick.
  • Run ImageMagick under a resource-limited process context using ulimit or cgroup memory limits to contain leak-driven exhaustion.
bash
# Configuration example
export MAGICK_OCL_DEVICE=OFF
chmod 700 "$HOME/.config/ImageMagick"
ulimit -v 1048576  # cap virtual memory at 1 GiB per process

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.