How is CVE-2026-53461 exploited?

Network reachability (required): The attacker must reach the vulnerable service over the network; any internet-exposed or internally networked ImageMagick processing endpoint is in scope. Authentication (not-required): No credentials or account of any kind are needed to trigger the vulnerable ICON decoding path. Victim interaction (not-required): No user action is required; submitting a malformed ICON file to the service is sufficient to trigger the crash. Attack complexity (info): Exploitation is reliable and condition-free; no race conditions or specific memory layout are required to trigger the out-of-bounds write.

What is the impact of CVE-2026-53461?

Crashes the ImageMagick worker process, taking down any service or pipeline stage that depends on it for image processing. Repeated submissions of a malformed ICON file can sustain a denial-of-service condition, blocking all image processing for affected workloads. No confidentiality or integrity impact is indicated by the CVSS vector; data exposure and data modification are not demonstrated attack outcomes for this vulnerability.

Back to search

HIGHCVE-2026-53461Published 2026-06-10Modified 2026-06-11CNA GitHub_M

CVE-2026-53461: ImageMagick: Out-of-bounds write in ICON decoder due to incorrect loop

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-50 and 7.1.2-25, an incorrect loop in the ICON decoder can result in an out of bounds heap write resulting in a crash. This issue has been patched in versions 6.9.13-50 and 7.1.2-25.

CVSS v3.1: 7.5
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

An out-of-bounds heap write in ImageMagick's ICON decoder allows a remote, unauthenticated attacker to crash the affected process. The bug is reachable over the network with no authentication required and no victim interaction needed, making it trivially exploitable against any service that accepts and processes ICON image files. Successful exploitation causes a denial of service by crashing the ImageMagick process. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment upstream publishes a fix version.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images that bundle ImageMagick. Any affected image version is flagged automatically in both registry scans and CI/CD pipeline checks.

Available

Triage

HarborGuard surfaces this CVE with its CVSS v3.1 score of 7.5 (HIGH) and weights it against each customer environment's compliance policy to determine urgency and routing. Findings are delivered to the appropriate team inbox within each customer org based on configured ownership rules.

Available

Patch

Because no fix version has been published upstream, HarborGuard re-checks this advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a fix is released. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be triggered without manual intervention once a fix version becomes available.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the vulnerable service over the network; any internet-exposed or internally networked ImageMagick processing endpoint is in scope.
AuthenticationNot required
No credentials or account of any kind are needed to trigger the vulnerable ICON decoding path.
Victim interactionNot required
No user action is required; submitting a malformed ICON file to the service is sufficient to trigger the crash.
Attack complexityDetail
Exploitation is reliable and condition-free; no race conditions or specific memory layout are required to trigger the out-of-bounds write.

Blast Radius

Crashes the ImageMagick worker process, taking down any service or pipeline stage that depends on it for image processing.
Repeated submissions of a malformed ICON file can sustain a denial-of-service condition, blocking all image processing for affected workloads.
No confidentiality or integrity impact is indicated by the CVSS vector; data exposure and data modification are not demonstrated attack outcomes for this vulnerability.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix has been published for this vulnerability, HarborGuard continuously re-evaluates the advisory on each ingest cycle and will trigger a patched-image rebuild automatically when versions 6.9.13-50 or 7.1.2-25 (or later) become available. In the interim, customers can apply compensating controls through HarborGuard network policy recommendations, such as restricting ingress to image-processing services, blocking untrusted ICON file submissions at the application or gateway layer, and isolating ImageMagick workloads from broader internal networks. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be initiated without manual intervention the moment the upstream fix is confirmed in the advisory feed.

See how HarborGuard automates this

Affected packages

ImageMagick / ImageMagick
< 6.9.13-50 · < 7.1.2-25

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-g22q-f7gc-5jhr

Metrics

Get notified