ImageMagick has Memory Leak in magick stream
Description
ImageMagick is free and open-source software used for editing and manipulating digital images. In versions prior to 7.1.2-0 and 6.9.13-26, in ImageMagick's magick stream command, specifying multiple consecutive %d format specifiers in a filename template causes a memory leak. Versions 7.1.2-0 and 6.9.13-26 fix the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A memory leak in ImageMagick's `magick stream` command occurs when multiple consecutive `%d` format specifiers are used in a filename template, fixed in versions 7.1.2-0 and 6.9.13-26.
Vulnerability
Overview
In ImageMagick, a widely-used open-source image processing suite, a memory leak vulnerability exists in the magick stream command. When a user specifies multiple consecutive %d format specifiers in a filename template (e.g., %d%d), the application fails to properly free allocated memory, leading to a resource leak [1][2][3]. This bug is present in all versions prior to 7.1.2-0 and 6.9.13-26 [2].
Exploitation
The vulnerability is triggered by supplying crafted command-line arguments to the magick stream utility. An attacker with access to execute the magick stream command—either directly or indirectly through an application that wraps ImageMagick—can induce the memory leak by providing a filename pattern containing consecutive %d placeholders [3]. No authentication is required beyond the ability to run the command, making this accessible to any user or process that can invoke ImageMagick.
Impact
Successful exploitation results in progressive memory consumption, which can exhaust available system memory over time. This may lead to denial of service (DoS) conditions, degrading performance or crashing the application [2][3]. The leak is confirmed in the affected versions, as demonstrated by AddressSanitizer output showing a direct leak of 152 bytes from a single invocation [3]. Repeated usage of the vulnerable pattern can amplify the effect.
Mitigation
The issue is patched in ImageMagick versions 7.1.2-0 and 6.9.13-26, released on 2025-07-13 [4]. Users should upgrade to these or later versions. There are no known workarounds other than avoiding the use of consecutive %d specifiers in magick stream calls until the software can be updated. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of publication.
- GitHub - ImageMagick/ImageMagick: ImageMagick is a free, open-source software suite for creating, editing, converting, and displaying images. It supports 200+ formats and offers powerful command-line tools and APIs for automation, scripting, and integration across platforms.
- NVD - CVE-2025-53019
- Memory Leak in magick stream
- Release Magick.NET 14.7.0 · dlemstra/Magick.NET
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
Magick.NET-Q16-AnyCPUNuGet | < 14.7.0 | 14.7.0 |
Magick.NET-Q16-HDRI-AnyCPUNuGet | < 14.7.0 | 14.7.0 |
Magick.NET-Q16-HDRI-OpenMP-arm64NuGet | < 14.7.0 | 14.7.0 |
Magick.NET-Q16-HDRI-OpenMP-x64NuGet | < 14.7.0 | 14.7.0 |
Magick.NET-Q16-HDRI-arm64NuGet | < 14.7.0 | 14.7.0 |
Magick.NET-Q16-HDRI-x64NuGet | < 14.7.0 | 14.7.0 |
Magick.NET-Q16-HDRI-x86NuGet | < 14.7.0 | 14.7.0 |
Magick.NET-Q16-OpenMP-arm64NuGet | < 14.7.0 | 14.7.0 |
Magick.NET-Q16-OpenMP-x64NuGet | < 14.7.0 | 14.7.0 |
Magick.NET-Q16-arm64NuGet | < 14.7.0 | 14.7.0 |
Magick.NET-Q16-x64NuGet | < 14.7.0 | 14.7.0 |
Magick.NET-Q16-x86NuGet | < 14.7.0 | 14.7.0 |
Magick.NET-Q8-AnyCPUNuGet | < 14.7.0 | 14.7.0 |
Magick.NET-Q8-OpenMP-arm64NuGet | < 14.7.0 | 14.7.0 |
Magick.NET-Q8-OpenMP-x64NuGet | < 14.7.0 | 14.7.0 |
Magick.NET-Q8-arm64NuGet | < 14.7.0 | 14.7.0 |
Magick.NET-Q8-x64NuGet | < 14.7.0 | 14.7.0 |
Magick.NET-Q8-x86NuGet | < 14.7.0 | 14.7.0 |
Affected products
2>=6.9.13 <6.9.13-26, >=7.1 <7.1.2-0+ 1 more
- (no CPE)range: >=6.9.13 <6.9.13-26, >=7.1 <7.1.2-0
- (no CPE)range: < 7.1.2-0
Patches
1d49460522669Fixed memory leak when entering StreamImage multiple times.
1 file changed · +2 −1
magick/stream.c+2 −1 modified@@ -1261,7 +1261,8 @@ MagickExport Image *StreamImage(const ImageInfo *image_info, image_info->filename); read_info=CloneImageInfo(image_info); stream_info->image_info=image_info; - stream_info->quantum_info=AcquireQuantumInfo(image_info,(Image *) NULL); + if (stream_info->quantum_info == (QuantumInfo *) NULL) + stream_info->quantum_info=AcquireQuantumInfo(image_info,(Image *) NULL); if (stream_info->quantum_info == (QuantumInfo *) NULL) { read_info=DestroyImageInfo(read_info);
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/advisories/GHSA-cfh4-9f7v-fhrcghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-53019ghsaADVISORY
- github.com/ImageMagick/ImageMagick/commit/fc3ab0812edef903bbb2473c0ee652ddfd04fe5cghsaWEB
- github.com/ImageMagick/ImageMagick/security/advisories/GHSA-cfh4-9f7v-fhrcghsax_refsource_CONFIRMWEB
- github.com/ImageMagick/ImageMagick6/commit/d49460522669232159c2269fa64f73ed30555c1bghsaWEB
- github.com/dlemstra/Magick.NET/releases/tag/14.7.0ghsaWEB
- lists.debian.org/debian-lts-announce/2025/09/msg00012.htmlghsaWEB
News mentions
0No linked articles in our index yet.