Main Vulnerability Database Vulnerabilities #VU133103

Time-of-check Time-of-use (TOCTOU) Race Condition in ImageMagick - #VU133103

Published: May 31, 2026

Vulnerability identifier: #VU133103

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: N/A

CWE-ID: CWE-367

Exploitation vector: Local access

Exploit availability: No public exploit available

Vendor: ImageMagick.org

Affected software:
ImageMagick

Detailed vulnerability description

The vulnerability allows a local user to create or truncate files that are disallowed by the security policy.

The vulnerability exists due to time-of-check time-of-use race condition in the policy check logic when handling file creation or truncation operations. A local user can trigger an incorrect check to create or truncate files that are disallowed by the security policy.

This is relevant for sandboxed conversion services that rely on ImageMagick path policies for write-boundary enforcement.

Remediation

Install security update from vendor's website.

Sources

https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-gm48-c7f2-v67p

Time-of-check Time-of-use (TOCTOU) Race Condition in ImageMagick - #VU133103

Detailed vulnerability description

Remediation

Sources

Please verify you're human