Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-56365

CVE-2026-56365: ImageMagick DOS Vulnerability

CVE-2026-56365 is a denial of service vulnerability in ImageMagick caused by a memory leak in the PNG encoder when writing MNG images. This article covers the technical details, affected versions, and mitigation strategies.

Published:

CVE-2026-56365 Overview

CVE-2026-56365 is a memory leak vulnerability in ImageMagick versions before 7.1.2-19. The flaw exists in the PNG encoder when writing Multiple-image Network Graphics (MNG) images. Attackers can trigger the encoder failure condition to exhaust memory resources, causing a denial of service. The vulnerability is classified as [CWE-401] Missing Release of Memory after Effective Lifetime. It affects any application or service that uses ImageMagick to process attacker-supplied MNG image conversions.

Critical Impact

Remote attackers can exhaust server memory by submitting crafted MNG image conversion requests, degrading availability of ImageMagick-backed image processing pipelines.

Affected Products

  • ImageMagick versions prior to 7.1.2-19
  • Applications embedding vulnerable ImageMagick libraries for PNG/MNG encoding
  • Web services and image processing pipelines that expose ImageMagick conversion to untrusted input

Discovery Timeline

  • 2026-06-30 - CVE-2026-56365 published to NVD
  • 2026-07-02 - Last updated in NVD database

Technical Details for CVE-2026-56365

Vulnerability Analysis

The vulnerability resides in the PNG encoder path used when ImageMagick writes MNG images. When the encoder hits a failure condition during MNG writing, allocated memory is not released before the error path exits. Repeated triggering of this failure state causes cumulative memory growth in the process. Long-running services that call the encoder on each request will steadily consume system memory. Eventually the process or host runs out of available memory and becomes unresponsive.

The issue is a resource management defect rather than a memory corruption bug. It does not permit code execution or data disclosure, but it does affect availability. Services that convert user-supplied images to MNG format are the primary exposure surface.

Root Cause

The root cause is missing cleanup on an error path in the PNG encoder when producing MNG output. The encoder allocates working buffers and internal structures during the write operation. On the failure branch, the code returns without freeing those allocations. This maps directly to [CWE-401], where allocated memory outlives the code that needed it.

Attack Vector

Exploitation requires an attacker to submit an image conversion request that reaches the MNG writing code path and triggers the encoder failure. The attack is network-reachable when ImageMagick is fronted by a web application, API, or upload processor. No authentication or user interaction is required. High attack complexity reflects the need to craft or repeatedly submit inputs that reliably drive the encoder into the failure state.

See the GitHub Security Advisory and the VulnCheck Advisory for technical details.

Detection Methods for CVE-2026-56365

Indicators of Compromise

  • Steadily increasing resident memory (RSS) of processes invoking magick, convert, or linked ImageMagick libraries
  • Repeated inbound requests submitting images with MNG output format specifiers (e.g., mng:, .mng targets)
  • ImageMagick log entries showing recurring PNG/MNG encoder errors on the same worker process
  • Out-of-memory (OOM) kills or worker restarts in image processing services

Detection Strategies

  • Monitor ImageMagick binary versions across hosts and flag any instance older than 7.1.2-19
  • Inspect application logs for high rates of failed MNG conversions correlated with memory growth
  • Baseline normal memory usage of image conversion workers and alert on sustained upward drift

Monitoring Recommendations

  • Track process-level memory metrics for services calling ImageMagick and alert on non-recovering growth
  • Log and rate-limit image conversion requests that specify MNG as the output format
  • Correlate OOM events with recent image upload activity to identify abuse patterns

How to Mitigate CVE-2026-56365

Immediate Actions Required

  • Upgrade ImageMagick to version 7.1.2-19 or later on all systems
  • Inventory applications and containers bundling ImageMagick and rebuild images with the patched release
  • Restrict or disable MNG as an accepted output format where it is not required
  • Apply request quotas and memory limits to workers that invoke ImageMagick

Patch Information

The fix is available in ImageMagick 7.1.2-19 and later. Refer to the upstream GitHub Security Advisory GHSA-x928-4434-crqj for the patched commit and release notes. Downstream Linux distributions should be checked for backported package updates.

Workarounds

  • Remove or deny the MNG coder in the ImageMagick policy file until patching is complete
  • Enforce per-process memory limits with cgroups, ulimit, or container resource caps to contain leaks
  • Reject user-controlled output format selection and hardcode safe formats such as PNG or JPEG
bash
# /etc/ImageMagick-7/policy.xml - disable MNG coder as a temporary mitigation
<policymap>
  <policy domain="coder" rights="none" pattern="MNG" />
  <policy domain="resource" name="memory" value="256MiB" />
  <policy domain="resource" name="map" value="512MiB" />
</policymap>

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.