VYPR
← All advisories
Moderate severityNVD Advisory· Published Feb 24, 2026· Updated Feb 26, 2026

ImageMagick: Possible memory leak in ASHLAR encoder

CVE-2026-25637

Description

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to version 7.1.2-15, a memory leak in the ASHLAR image writer allows an attacker to exhaust process memory by providing a crafted image that results in small objects that are allocated but never freed. Version 7.1.2-15 contains a patch.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A memory leak in ImageMagick's ASHLAR image writer lets attackers exhaust memory via crafted images, fixed in 7.1.2-15.

Vulnerability

Overview

A memory leak exists in ImageMagick's ASHLAR image writer, affecting versions prior to 7. The flaw allows an attacker to exhaust process memory by providing a crafted image that causes small objects to be allocated but never freed. This is described as a memory leak in the ASHLAR encoder [1][4].

Exploitation

To exploit this, an attacker must supply a specially crafted image to the ASHLAR writer. The vulnerability does not require authentication, as it can be triggered through normal image processing operations. The leak occurs when processing such images, leading to repeated allocations without corresponding deallocations, eventually exhausting available memory [2][3].

Impact

If exploited, the memory leak can cause a denial of service by consuming all available system memory. This could lead to process crashes or system instability. The impact is limited to availability, as the leak does not allow code execution or data exfiltration [1][4].

Mitigation

The vulnerability is fixed in ImageMagick version 7.1.2-15. Users should upgrade to this version or later. No workaround is currently documented. The fix addresses the allocation-free issue in the ASHLAR writer [1][3].

References
  1. NVD - CVE-2026-25637
  2. GitHub - ImageMagick/ImageMagick: ImageMagick is a free, open-source software suite for creating, editing, converting, and displaying images. It supports 200+ formats and offers powerful command-line tools and APIs for automation, scripting, and integration across platforms.
  3. Release Magick.NET 14.10.3 · dlemstra/Magick.NET
  4. Possible memory leak in ASHLAR encoder

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
Magick.NET-Q16-AnyCPUNuGet
< 14.10.314.10.3
Magick.NET-Q16-HDRI-AnyCPUNuGet
< 14.10.314.10.3
Magick.NET-Q16-HDRI-OpenMP-arm64NuGet
< 14.10.314.10.3
Magick.NET-Q16-HDRI-OpenMP-x64NuGet
< 14.10.314.10.3
Magick.NET-Q16-HDRI-arm64NuGet
< 14.10.314.10.3
Magick.NET-Q16-HDRI-x64NuGet
< 14.10.314.10.3
Magick.NET-Q16-HDRI-x86NuGet
< 14.10.314.10.3
Magick.NET-Q16-OpenMP-arm64NuGet
< 14.10.314.10.3
Magick.NET-Q16-OpenMP-x64NuGet
< 14.10.314.10.3
Magick.NET-Q16-OpenMP-x86NuGet
< 14.10.314.10.3
Magick.NET-Q16-arm64NuGet
< 14.10.314.10.3
Magick.NET-Q16-x64NuGet
< 14.10.314.10.3
Magick.NET-Q16-x86NuGet
< 14.10.314.10.3
Magick.NET-Q8-AnyCPUNuGet
< 14.10.314.10.3
Magick.NET-Q8-OpenMP-arm64NuGet
< 14.10.314.10.3
Magick.NET-Q8-OpenMP-x64NuGet
< 14.10.314.10.3
Magick.NET-Q8-arm64NuGet
< 14.10.314.10.3
Magick.NET-Q8-x64NuGet
< 14.10.314.10.3
Magick.NET-Q8-x86NuGet
< 14.10.314.10.3

Affected products

3

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

5

News mentions

0

No linked articles in our index yet.