VYPR
← All advisories
Moderate severityOSV Advisory· Published Jan 20, 2026· Updated Jan 21, 2026

ImageMagick vulnerable to Release of Invalid Pointer in BilateralBlur when memory allocation fails

CVE-2026-22770

Description

ImageMagick is free and open-source software used for editing and manipulating digital images. The BilateralBlurImage method will allocate a set of double buffers inside AcquireBilateralTLS. But, in versions prior to 7.1.2-13, the last element in the set is not properly initialized. This will result in a release of an invalid pointer inside DestroyBilateralTLS when the memory allocation fails. Version 7.1.2-13 contains a patch for the issue.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

ImageMagick BilateralBlurImage method improperly initializes a double-buffer element, causing invalid pointer release on memory allocation failure; patched in 7.1.2-13.

A vulnerability exists in ImageMagick's BilateralBlurImage method, versions prior to 7.1.2-13. The AcquireBilateralTLS function allocates a set of double buffers, but the last element in this set is not properly initialized. When a subsequent memory allocation fails, the cleanup routine (DestroyBilateralTLS) attempts to release this uninitialized element, resulting in the release of an invalid pointer [2][3].

An attacker could exploit this by providing a specially crafted image that triggers the memory allocation failure while BilateralBlurImage is processing. Since ImageMagick is often used in server-side image processing or automation pipelines, an attacker may deliver the image remotely (e.g., via upload or URL) without requiring authentication. No user interaction beyond opening or processing the image is needed to trigger the defect [3][4].

The release of an invalid pointer can lead to undefined behavior, typically causing an application crash (denial of service). In worst-case scenarios, memory corruption might be possible, but the advisory does not explicitly prove code execution. The issue is fixed in ImageMagick version 7.1.2-13, which was released on 2026-01-19 and incorporated into downstream libraries such as Magick.NET 14.10.2 [4]. Users should upgrade to the patched version or apply the vendor-supplied patch.

References
  1. NVD - CVE-2026-22770
  2. Release of Invalid Pointer in BilateralBlur when memory allocation fails
  3. Release Magick.NET 14.10.2 · dlemstra/Magick.NET

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
Magick.NET-Q8-x64NuGet
< 14.10.214.10.2
Magick.NET-Q8-arm64NuGet
< 14.10.214.10.2
Magick.NET-Q8-x86NuGet
< 14.10.214.10.2
Magick.NET-Q8-OpenMP-x64NuGet
< 14.10.214.10.2
Magick.NET-Q8-OpenMP-arm64NuGet
< 14.10.214.10.2
Magick.NET-Q16-x64NuGet
< 14.10.214.10.2
Magick.NET-Q16-arm64NuGet
< 14.10.214.10.2
Magick.NET-Q16-x86NuGet
< 14.10.214.10.2
Magick.NET-Q16-OpenMP-x64NuGet
< 14.10.214.10.2
Magick.NET-Q16-OpenMP-arm64NuGet
< 14.10.214.10.2
Magick.NET-Q16-OpenMP-x86NuGet
< 14.10.214.10.2
Magick.NET-Q16-HDRI-x64NuGet
< 14.10.214.10.2
Magick.NET-Q16-HDRI-arm64NuGet
< 14.10.214.10.2
Magick.NET-Q16-HDRI-x86NuGet
< 14.10.214.10.2
Magick.NET-Q16-HDRI-OpenMP-x64NuGet
< 14.10.214.10.2
Magick.NET-Q16-HDRI-OpenMP-arm64NuGet
< 14.10.214.10.2
Magick.NET-Q8-AnyCPUNuGet
< 14.10.214.10.2
Magick.NET-Q16-AnyCPUNuGet
< 14.10.214.10.2
Magick.NET-Q16-HDRI-AnyCPUNuGet
< 14.10.214.10.2

Affected products

2
  • ImageMagick/ImagemagickOSV2 versions
    7.0.1-0, 7.0.1-1, 7.0.1-10, …+ 1 more
    • (no CPE)range: 7.0.1-0, 7.0.1-1, 7.0.1-10, …
    • (no CPE)range: <7.1.2-13

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

5

News mentions

0

No linked articles in our index yet.