How is CVE-2026-53460 exploited?

Network reachability (required): The vulnerable ImageMagick service must be reachable over the network, as the CVSS vector specifies AV:N (attack vector: network). Authentication (not-required): No credentials or account are needed to exploit this vulnerability; the CVSS vector specifies PR:N (no privileges required). Victim interaction (not-required): No user action is needed; the attacker can trigger the memory exhaustion by submitting a crafted image directly, as the CVSS vector specifies UI:N. Attack complexity (info): Exploitation is reliable and condition-free, requiring no race conditions or special environmental setup, as the CVSS vector specifies AC:L (attack complexity: low).

What is the impact of CVE-2026-53460?

Crashes the ImageMagick process by exhausting available system memory, taking down any dependent image-processing service. Causes denial of service to all users or upstream callers that rely on ImageMagick for image manipulation during the outage window. May starve co-located processes of memory on the same host, potentially destabilizing other containerized workloads sharing the node.

Back to search

HIGHCVE-2026-53460Published 2026-06-10Modified 2026-06-11CNA GitHub_M

CVE-2026-53460: ImageMagick: Policy Bypass can trigger out-of-Memory condition

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-50 and 7.1.2-25, a missing check for maximum memory request in AcquireAlignedMemory could trigger an out-of-Memory condition. This issue has been patched in versions 6.9.13-50 and 7.1.2-25.

CVSS v3.1: 7.5
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

An out-of-memory denial-of-service vulnerability exists in ImageMagick, affecting versions prior to 6.9.13-50 and 7.1.2-25. A missing upper-bound check in the AcquireAlignedMemory function allows a remote, unauthenticated attacker to trigger unbounded memory allocation by sending a crafted image over the network, requiring no authentication or victim interaction. Successful exploitation crashes the ImageMagick process, disrupting any service that depends on it for image processing. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment upstream fix versions are confirmed and published.

HarborGuard Coverage

Detection

Detection capability for CVE-2026-53460 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream advisory feeds, including custom-built images that bundle ImageMagick. Coverage applies to both registry scans and in-pipeline build-time scans.

Available

Triage

HarborGuard is capable of scoring this CVE at CVSS 7.5 (HIGH) and weighting it against each customer environment's compliance policy to determine urgency. Triage routing is available to direct alerts to the appropriate team inbox within each customer organization based on policy configuration.

Available

Patch

Because no fix versions have been published upstream at this time, HarborGuard re-checks this advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will be triggered without manual intervention once a fix version becomes available.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable ImageMagick service must be reachable over the network, as the CVSS vector specifies AV:N (attack vector: network).
AuthenticationNot required
No credentials or account are needed to exploit this vulnerability; the CVSS vector specifies PR:N (no privileges required).
Victim interactionNot required
No user action is needed; the attacker can trigger the memory exhaustion by submitting a crafted image directly, as the CVSS vector specifies UI:N.
Attack complexityDetail
Exploitation is reliable and condition-free, requiring no race conditions or special environmental setup, as the CVSS vector specifies AC:L (attack complexity: low).

Blast Radius

Crashes the ImageMagick process by exhausting available system memory, taking down any dependent image-processing service.
Causes denial of service to all users or upstream callers that rely on ImageMagick for image manipulation during the outage window.
May starve co-located processes of memory on the same host, potentially destabilizing other containerized workloads sharing the node.

How HarborGuard Handles This

Available on HarborGuard: detection capability for this CVE is active and will flag any customer image containing a vulnerable ImageMagick version as soon as the image is scanned. Because no upstream fix has been published yet, HarborGuard monitors this advisory on every ingest cycle and will make a patched-image rebuild available the moment a fix version is confirmed. For customers with auto-remediation enabled, the full rebuild-and-PR flow will trigger automatically at that point. In the interim, compensating controls worth considering include network-policy rules that restrict which services can submit arbitrary image payloads to ImageMagick-backed endpoints, egress filtering to limit the attack surface of exposed processing pipelines, and feature-flag gating to disable image-format parsers that are not required by the application.

See how HarborGuard automates this

Affected packages

ImageMagick / ImageMagick
< 6.9.13-50 · < 7.1.2-25

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-q62c-h75r-2xhc

Metrics

Get notified