VYPR
← All advisories
Moderate severityNVD Advisory· Published Feb 24, 2026· Updated Feb 26, 2026

ImageMagick has memory leak in msl encoder

CVE-2026-25638

Description

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, memory leak exists in coders/msl.c. In the WriteMSLImage function of the msl.c file, resources are allocated. But the function returns early without releasing these allocated resources. Versions 7.1.2-15 and 6.9.13-40 contain a patch.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

ImageMagick before 7.1.2-15/6.9.13-40 has a memory leak in MSL encoder's WriteMSLImage due to early return without resource release.

Vulnerability

Overview A memory leak vulnerability exists in ImageMagick's MSL encoder, specifically in the WriteMSLImage function within coders/msl.c [2][4]. When processing MSL (Magick Scripting Language) files, resources are allocated but the function can return early without releasing those resources, leading to memory leaks [2][4].

Exploitation

An attacker can exploit this vulnerability by providing a specially crafted MSL file to an application that uses ImageMagick for image processing [1]. No authentication is required if the attacker can supply the input, making the attack surface broad across web services, image upload functions, and other image processing pipelines that use ImageMagick [1][2].

Impact

Repeated exploitation can cause progressive memory consumption, potentially leading to denial of service (DoS) as memory is exhausted [2]. The vulnerability affects all versions prior to 7.1.2-15 and 6.9.13-40 [2][4].

Mitigation

The issue has been patched in ImageMagick versions 7.1.2-15 and 6.9.13-40 [2][4]. Users should upgrade to these or later versions. The patch ensures that allocated resources are properly released on all code paths in WriteMSLImage [4].

References
  1. GitHub - ImageMagick/ImageMagick: ImageMagick is a free, open-source software suite for creating, editing, converting, and displaying images. It supports 200+ formats and offers powerful command-line tools and APIs for automation, scripting, and integration across platforms.
  2. NVD - CVE-2026-25638
  3. Memory leak in msl encoder

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
Magick.NET-Q16-AnyCPUNuGet
< 14.10.314.10.3
Magick.NET-Q16-HDRI-AnyCPUNuGet
< 14.10.314.10.3
Magick.NET-Q16-HDRI-OpenMP-arm64NuGet
< 14.10.314.10.3
Magick.NET-Q16-HDRI-OpenMP-x64NuGet
< 14.10.314.10.3
Magick.NET-Q16-HDRI-arm64NuGet
< 14.10.314.10.3
Magick.NET-Q16-HDRI-x64NuGet
< 14.10.314.10.3
Magick.NET-Q16-HDRI-x86NuGet
< 14.10.314.10.3
Magick.NET-Q16-OpenMP-arm64NuGet
< 14.10.314.10.3
Magick.NET-Q16-OpenMP-x64NuGet
< 14.10.314.10.3
Magick.NET-Q16-OpenMP-x86NuGet
< 14.10.314.10.3
Magick.NET-Q16-arm64NuGet
< 14.10.314.10.3
Magick.NET-Q16-x64NuGet
< 14.10.314.10.3
Magick.NET-Q16-x86NuGet
< 14.10.314.10.3
Magick.NET-Q8-AnyCPUNuGet
< 14.10.314.10.3
Magick.NET-Q8-OpenMP-arm64NuGet
< 14.10.314.10.3
Magick.NET-Q8-OpenMP-x64NuGet
< 14.10.314.10.3
Magick.NET-Q8-arm64NuGet
< 14.10.314.10.3
Magick.NET-Q8-x64NuGet
< 14.10.314.10.3
Magick.NET-Q8-x86.NET-Q8-x64NuGet
< 14.10.314.10.3

Affected products

2
  • ImageMagick/Imagemagickllm-fuzzy2 versions
    <=7.1.2-15, <=6.9.13-40+ 1 more
    • (no CPE)range: <=7.1.2-15, <=6.9.13-40
    • (no CPE)range: >= 7.0.0, < 7.1.2-15

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

5

News mentions

0

No linked articles in our index yet.