ImageMagick - Memory Leak in LoadOpenCLDeviceBenchmark() via Malformed XML
Summary
| CVE | CVE-2026-56364 |
|---|---|
| State | PUBLISHED |
| Assigner | VulnCheck |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-06-30 23:17:31 UTC |
| Updated | 2026-07-02 18:34:24 UTC |
| Description | ImageMagick before 7.1.2-13 contains a memory leak vulnerability in LoadOpenCLDeviceBenchmark() function when parsing malformed OpenCL device profile XML files with unclosed device elements. Attackers with write access to the OpenCL cache directory can place malicious XML files to exhaust memory and cause denial of service. |
Risk And Classification
Primary CVSS: v4.0 1.8 LOW from [email protected]
CVSS:4.0/AV:L/AC:H/AT:P/PR:H/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS: 0.001190000 probability, percentile 0.020430000 (date 2026-07-02)
Problem Types: CWE-401 | CWE-401 Missing Release of Memory after Effective Lifetime
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 4.0 | [email protected] | Secondary | 1.8 | LOW | CVSS:4.0/AV:L/AC:H/AT:P/PR:H/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/C... |
| 4.0 | CNA | CVSS | 1.8 | LOW | CVSS:4.0/AV:L/AC:H/AT:P/PR:H/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N |
| 3.1 | [email protected] | Secondary | 1.9 | LOW | CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L |
| 3.1 | CNA | CVSS | 1.9 | LOW | CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L |
CVSS v4.0 Breakdown
Attack Vector
LocalAttack Complexity
HighAttack Requirements
PresentPrivileges Required
HighUser Interaction
NoneConfidentiality
NoneIntegrity
NoneAvailability
LowSub Conf.
NoneSub Integrity
NoneSub Availability
NoneCVSS:4.0/AV:L/AC:H/AT:P/PR:H/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CVSS v3.1 Breakdown
Attack Vector
LocalAttack Complexity
HighPrivileges Required
HighUser Interaction
NoneScope
UnchangedConfidentiality
NoneIntegrity
NoneAvailability
LowCVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Imagemagick | Imagemagick | All | All | All | All |
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | ImageMagick | ImageMagick | affected 7.1.2-13 semver | Not specified |
| CNA | ImageMagick | ImageMagick | unaffected 7.1.2-13 semver | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| github.com/ImageMagick/ImageMagick/security/advisories/GHSA-qp59-x883-77qv | 134c704f-9b21-4f2e-91b3-4a467353bcc0 | github.com | Exploit, Vendor Advisory |
| github.com/ImageMagick/ImageMagick/commit/a52c1b402be08ef8ae193f28ac5b2e... | [email protected] | github.com | Patch |
| www.vulncheck.com/advisories/imagemagick-memory-leak-in-loadopencldevicebenchma... | [email protected] | www.vulncheck.com | Patch, Third Party Advisory |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
CNA: Keryer (en)
There are currently no legacy QID mappings associated with this CVE.