ImageMagick has memory leak of watermark Image object in ReadSTEGANOImage on multiple error/early-return paths

Vulnerability

CVE-2026-25796 is a memory leak in the ReadSTEGANOImage() function within coders/stegano.c. On three early-return paths, the watermark Image object is not freed, resulting in a definite memory leak of approximately 13.5 KB per invocation [2][4]. This affects ImageMagick versions prior to 7.1.2-15 and 6.9.13-40 [2].

Exploitation

An attacker can trigger the leak by providing a crafted steganographic image that forces ReadSTEGANOImage() to exit early on one of the vulnerable paths. No authentication or special privileges are needed; any application that processes user-supplied images—such as web upload services, email filters, or image processing pipelines using ImageMagick—is potentially exposed [1]. The attack is low-complexity and can be repeated to exhaust memory resources.

Impact

Repeated exploitation of this memory leak can progressively consume available memory, leading to denial of service for the ImageMagick process and possibly the host system. The leak accumulates per invocation, so a sustained series of crafted images can degrade or crash the service [2].

Mitigation

The issue is patched in ImageMagick versions 7.1.2-15 and 6.9.13-40 [2][4]. Users should upgrade to these or later releases. The fix adds DestroyImage(watermark) calls before each early return path, ensuring the watermark object is properly freed [4].