VYPR
← All advisories
Moderate severityNVD Advisory· Published Feb 24, 2026· Updated Feb 26, 2026

ImageMagick has Memory Leak in coders/ashlar.c

CVE-2026-25969

Description

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to version 7.1.2-15, a memory leak exists in coders/ashlar.c. The WriteASHLARImage allocates a structure. However, when an exception is thrown, the allocated memory is not properly released, resulting in a potential memory leak. Version 7.1.2-15 contains a patch.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A memory leak in ImageMagick's ASHLAR encoder prior to 7.1.2-15 occurs when an exception is thrown, leaving allocated structures unreleased.

Root

Cause

The vulnerability is a memory leak in the WriteASHLARImage function within coders/ashlar.c. When an exception is thrown during the encoding process, the allocated memory for internal structures — specifically an ImageInfo structure — is not properly freed, as the cleanup path fails to release the allocation. This was addressed in commit a253d1b124ebdcc2832daac6f9a35c362635b40e by restructuring the allocation and deallocation of write_info to ensure it is always released [4].

Attack

Surface

The ASHLAR encoder is invoked when ImageMagick processes images in certain formats or through scripting. An attacker would need to supply a crafted image that triggers an exception during encoding, possibly from malformed metadata or over-large dimensions. No authentication is required if the software is used in a service that accepts user-submitted images, such as a web application or batch processing pipeline.

Impact

Repeatedly triggering the leak can exhaust available memory on the target system, leading to a denial of service (DoS) condition. While this does not allow arbitrary code execution, it can disrupt availability for other processes sharing the same memory space.

Mitigation

ImageMagick version 7.1.2-15 contains the fix [1][2]. Users should upgrade to this version or later. Magick.NET version 14.10.3 also includes the corresponding fix as part of a security release [3]. No workarounds other than patching are documented.

References
  1. GitHub - ImageMagick/ImageMagick: ImageMagick is a free, open-source software suite for creating, editing, converting, and displaying images. It supports 200+ formats and offers powerful command-line tools and APIs for automation, scripting, and integration across platforms.
  2. NVD - CVE-2026-25969
  3. Release Magick.NET 14.10.3 · dlemstra/Magick.NET
  4. https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-x… · ImageMagick/ImageMagick@a253d1b

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
Magick.NET-Q16-AnyCPUNuGet
< 14.10.314.10.3
Magick.NET-Q16-HDRI-AnyCPUNuGet
< 14.10.314.10.3
Magick.NET-Q16-HDRI-OpenMP-arm64NuGet
< 14.10.314.10.3
Magick.NET-Q16-HDRI-OpenMP-x64NuGet
< 14.10.314.10.3
Magick.NET-Q16-HDRI-arm64NuGet
< 14.10.314.10.3
Magick.NET-Q16-HDRI-x64NuGet
< 14.10.314.10.3
Magick.NET-Q16-HDRI-x86NuGet
< 14.10.314.10.3
Magick.NET-Q16-OpenMP-arm64NuGet
< 14.10.314.10.3
Magick.NET-Q16-OpenMP-x64NuGet
< 14.10.314.10.3
Magick.NET-Q16-OpenMP-x86NuGet
< 14.10.314.10.3
Magick.NET-Q16-arm64NuGet
< 14.10.314.10.3
Magick.NET-Q16-x86NuGet
< 14.10.314.10.3
Magick.NET-Q8-AnyCPUNuGet
< 14.10.314.10.3
Magick.NET-Q8-OpenMP-arm64NuGet
< 14.10.314.10.3
Magick.NET-Q8-OpenMP-x64NuGet
< 14.10.314.10.3
Magick.NET-Q8-arm64NuGet
< 14.10.314.10.3
Magick.NET-Q8-x64NuGet
< 14.10.314.10.3
Magick.NET-Q8-x86NuGet
< 14.10.314.10.3

Affected products

2

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

5

News mentions

0

No linked articles in our index yet.