tlder@devImageMagick patches a VIFF-encoder memory leak
tlder@dev:~$
Security/CVEs/Advisories

ImageMagick patches a VIFF-encoder memory leak

  • Shipped

The bug sits on the VIFF encoder's error path: when an allocation fails partway through a write, the buffers already grabbed never get freed, so anyone who can push crafted VIFF files through a conversion pipeline can slowly starve the host. It's denial-of-service at worst — no code execution, no data leak — and CVE-2026-61870 wears a 2.9 CVSS to match. If your image pipeline takes untrusted uploads, 7.1.2-26 is worth picking up; if you never touch VIFF, it can ride along with your next routine bump.