ImageMagick has a use-after-free/double-free risk in Options::fontFamily when clearing family
Description
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to 7.1.2-9 and 6.9.13-34, there is a vulnerability in ImageMagick’s Magick++ layer that manifests when Options::fontFamily is invoked with an empty string. Clearing a font family calls RelinquishMagickMemory on _drawInfo->font, freeing the font string but leaving _drawInfo->font pointing to freed memory while _drawInfo->family is set to that (now-invalid) pointer. Any later cleanup or reuse of _drawInfo->font re-frees or dereferences dangling memory. DestroyDrawInfo and other setters (Options::font, Image::font) assume _drawInfo->font remains valid, so destruction or subsequent updates trigger crashes or heap corruption. This vulnerability is fixed in 7.1.2-9 and 6.9.13-34.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
ImageMagick Magick++ use-after-free when clearing fontFamily with empty string, causing possible crashes or heap corruption. Fixed in 7.1.2-9 and 6.9.13-34.
Vulnerability
Analysis
ImageMagick, a widely used open-source image processing suite, contains a use-after-free vulnerability in its Magick++ C++ API layer. The bug is triggered when the Options::fontFamily() method is called with an empty string to clear the font family. The code calls RelinquishMagickMemory on _drawInfo->font, freeing the memory, but then sets _drawInfo->family to point to that freed memory [1]. This leaves a dangling pointer in _drawInfo->font, which is not properly invalidated. Any subsequent use of _drawInfo->font—such as during DestroyDrawInfo cleanup or when setting a new font—becomes a use-after-free operation. The error was present in ImageMagick versions prior to 7.1.2-9 and 6.9.13-34 [1][3].
Exploitation
Exploitation requires calling the fontFamily setter with an empty string, which is a legitimate API operation. No special authentication is needed; the attacker must only convince an application using the affected Magick++ library to invoke this function—commonly by crafting an image or input that triggers font clearing. Once the dangling pointer is created, any subsequent operation that accesses or frees _drawInfo->font can trigger a crash. The vulnerability does not require network access if the application processes untrusted local files, but remote exploitation is possible if the application accepts user-supplied images over a network protocol.
Impact
An attacker can cause a denial-of-service via application crash or potentially achieve heap corruption, which may lead to more severe consequences depending on memory layout and subsequent operations. The corruption occurs because the freed memory may be reused by other allocations, and a double-free or use-after-free can destabilize the heap [1]. While the official advisory does not confirm remote code execution, heap corruption in a C++ application is a known vector for arbitrary code execution under favorable conditions.
Mitigation
The vulnerability is fixed in ImageMagick versions 7.1.2-9 and 6.9.13-34 [1][3]. Users of ImageMagick should upgrade to the patched versions immediately. No workaround other than avoiding the use of the fontFamily setter with an empty string is known, but such a workaround is impractical in many applications. This flaw does not appear on CISA's Known Exploited Vulnerabilities catalog as of the publication date.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
Magick.NET-Q16-AnyCPUNuGet | <= 14.9.1 | — |
Magick.NET-Q16-HDRI-AnyCPUNuGet | <= 14.9.1 | — |
Magick.NET-Q16-HDRI-OpenMP-arm64NuGet | <= 14.9.1 | — |
Magick.NET-Q16-HDRI-OpenMP-x64NuGet | <= 14.9.1 | — |
Magick.NET-Q16-HDRI-arm64NuGet | <= 14.9.1 | — |
Magick.NET-Q16-HDRI-x64NuGet | <= 14.9.1 | — |
Magick.NET-Q16-HDRI-x86NuGet | <= 14.9.1 | — |
Magick.NET-Q16-OpenMP-arm64NuGet | <= 14.9.1 | — |
Magick.NET-Q16-OpenMP-x64NuGet | <= 14.9.1 | — |
Magick.NET-Q16-arm64NuGet | <= 14.9.1 | — |
Magick.NET-Q16-x64NuGet | <= 14.9.1 | — |
Magick.NET-Q16-x86NuGet | <= 14.9.1 | — |
Magick.NET-Q8-AnyCPUNuGet | <= 14.9.1 | — |
Magick.NET-Q8-OpenMP-arm64NuGet | <= 14.9.1 | — |
Magick.NET-Q8-OpenMP-x64NuGet | <= 14.9.1 | — |
Magick.NET-Q8-arm64NuGet | <= 14.9.1 | — |
Magick.NET-Q8-x64NuGet | <= 14.9.1 | — |
Magick.NET-Q8-x86NuGet | <= 14.9.1 | — |
Affected products
2>=6.9.13 <6.9.13-34 || >=7.1.2 <7.1.2-9+ 1 more
- (no CPE)range: >=6.9.13 <6.9.13-34 || >=7.1.2 <7.1.2-9
- (no CPE)range: >= 7.0.1-0, < 7.1.2-9
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-q3hc-j9x5-mp9mghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-65955ghsaADVISORY
- github.com/ImageMagick/ImageMagick/commit/6409f34d637a34a1c643632aa849371ec8b3b5a8ghsax_refsource_MISCWEB
- github.com/ImageMagick/ImageMagick/commit/6f81eb15f822ad86e8255be75efad6f9762c32f8ghsax_refsource_MISCWEB
- github.com/ImageMagick/ImageMagick/security/advisories/GHSA-q3hc-j9x5-mp9mghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.