Skip to main content

ImageMagick CVE-2026-25969

HIGH
Memory Leak (CWE-401)
2026-02-24 security-advisories@github.com GHSA-xgm3-v4r9-wfgm
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
3.7 LOW

Remote input can reach the coder (AV:N, PR:N) but DoS requires repeatedly triggering an exception in ASHLAR write to accumulate a small per-call leak, so AC:H and A:L.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
4.0 AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
SUSE
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Red Hat
5.3 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

11
Analysis Updated
Jun 23, 2026 - 18:50 vuln.today
v5 (cvss_changed)
Analysis Updated
Jun 23, 2026 - 18:49 vuln.today
v4 (cvss_changed)
Analysis Updated
Jun 23, 2026 - 18:48 vuln.today
v3 (cvss_changed)
Source Code Evidence Fetched
Jun 23, 2026 - 18:48 vuln.today
Analysis Updated
Jun 23, 2026 - 18:48 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 23, 2026 - 18:22 vuln.today
cvss_changed
Severity Changed
Jun 23, 2026 - 18:22 NVD
MEDIUM HIGH
CVSS changed
Jun 23, 2026 - 18:22 NVD
5.3 (MEDIUM) 7.5 (HIGH)
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
Analysis Generated
Mar 12, 2026 - 21:55 vuln.today
CVE Published
Feb 24, 2026 - 02:16 nvd
MEDIUM 5.3

DescriptionNVD

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to version 7.1.2-15, a memory leak exists in coders/ashlar.c. The WriteASHLARImage allocates a structure. However, when an exception is thrown, the allocated memory is not properly released, resulting in a potential memory leak. Version 7.1.2-15 contains a patch.

AnalysisAI

Denial of service in ImageMagick prior to 7.1.2-15 stems from a memory leak in the WriteASHLARImage function within coders/ashlar.c, where an allocated structure is not released when an exception is thrown during ASHLAR image encoding. Remote attackers who can submit images for processing can trigger repeated leaks to exhaust process memory in long-running services that embed ImageMagick. No public exploit identified at time of analysis, and EPSS risk is negligible at 0.05% (16th percentile).

Technical ContextAI

ImageMagick is a widely used C library and suite of CLI tools for converting and manipulating images, frequently embedded in web stacks, content pipelines, and language bindings such as Magick.NET. The bug is a classic CWE-401 (Missing Release of Memory after Effective Lifetime): inside coders/ashlar.c, WriteASHLARImage allocates a tracking structure but the cleanup path is skipped when ThrowWriterException is invoked, so the allocation is orphaned on every failed write. The ASHLAR coder is a layout/binning writer that arranges multiple images, and exception paths are reachable through malformed inputs or resource-limit conditions during encoding. The advisory at GHSA-xgm3-v4r9-wfgm and commit a253d1b124ebdcc2832daac6f9a35c362635b40e address the bug by ensuring the structure is freed before throwing.

RemediationAI

Vendor-released patch: ImageMagick 7.1.2-15, available via the upstream commit a253d1b124ebdcc2832daac6f9a35c362635b40e and the GHSA-xgm3-v4r9-wfgm advisory; .NET consumers should upgrade Magick.NET packages to 14.10.3 or later. SUSE users should apply SUSE-SU-2026:0851 and SUSE-SU-2026:0852 (https://www.suse.com/support/update/SUSE-SU-2026:0851/, https://www.suse.com/support/update/SUSE-SU-2026:0852/). Where patching must be delayed, disable the ASHLAR coder in policy.xml with a line such as <policy domain="coder" rights="none" pattern="ASHLAR" />, which removes the leaky write path at the cost of breaking any workflow that legitimately renders ASHLAR layouts, and constrain MAGICK_MEMORY_LIMIT plus per-process RLIMIT_AS so a leaking worker is recycled before exhausting host memory; long-running converters should additionally be configured to restart workers after a bounded number of requests.

CVE-2017-15277 MEDIUM POC
6.5 Oct 12

ReadGIFImage in coders/gif.c in ImageMagick 7.0.6-1 and GraphicsMagick 1.3.26 leaves the palette uninitialized when proc

CVE-2016-5841 CRITICAL POC
9.8 Dec 13

Integer overflow in MagickCore/profile.c in ImageMagick before 7.0.2-1 allows remote attackers to cause a denial of serv

CVE-2016-3717 MEDIUM POC
5.5 May 05

The LABEL coder in ImageMagick before 6.9.3-10 and 7.x before 7.0.1-1 allows remote attackers to read arbitrary files vi

CVE-2016-5118 CRITICAL
9.8 Jun 10

The OpenBlob function in blob.c in GraphicsMagick before 1.3.24 and ImageMagick allows remote attackers to execute arbit

CVE-2016-5689 CRITICAL POC
9.8 Dec 13

The DCM reader in ImageMagick before 6.9.4-5 and 7.x before 7.0.1-7 allows remote attackers to have unspecified impact b

CVE-2016-5690 CRITICAL POC
9.8 Dec 13

The ReadDCMImage function in DCM reader in ImageMagick before 6.9.4-5 and 7.x before 7.0.1-7 allows remote attackers to

CVE-2016-5691 CRITICAL POC
9.8 Dec 13

The DCM reader in ImageMagick before 6.9.4-5 and 7.x before 7.0.1-7 allows remote attackers to have unspecified impact b

CVE-2017-14138 CRITICAL POC
9.8 Sep 04

ImageMagick 7.0.6-5 has a memory leak vulnerability in ReadWEBPImage in coders/webp.c because memory is not freed in cer

CVE-2026-23876 CRITICAL POC
9.8 Jan 20

Heap buffer overflow in ImageMagick's XBM image decoder (ReadXBMImage) lets remote attackers write attacker-controlled d

CVE-2023-34152 CRITICAL POC
9.8 May 30

A vulnerability was found in ImageMagick. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable

CVE-2019-19952 CRITICAL POC
9.8 Dec 24

In ImageMagick 7.0.9-7 Q16, there is a use-after-free in the function MngInfoDiscardObject of coders/png.c, related to R

CVE-2018-14551 CRITICAL POC
9.8 Jul 23

The ReadMATImageV4 function in coders/mat.c in ImageMagick 7.0.8-7 uses an uninitialized variable, leading to memory cor

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
Container suse/sl-micro/6.1/baremetal-os-container:2.2.1-7.41 Container suse/sl-micro/6.1/base-os-container:2.2.1-5.62 Container suse/sl-micro/6.1/kvm-os-container:2.2.1-5.65 Container suse/sl-micro/6.1/rt-os-container:2.2.1-5.54 Image SL-Micro-Azure Image SL-Micro-BYOS-Azure Image SL-Micro-BYOS-EC2 Image SL-Micro-BYOS-GCE Image SL-Micro-EC2 Image SUSE-Multi-Linux-Manager-Proxy-BYOS-Azure Image SUSE-Multi-Linux-Manager-Proxy-BYOS-EC2 Image SUSE-Multi-Linux-Manager-Proxy-BYOS-GCE Image SUSE-Multi-Linux-Manager-Server-Azure-llc Image SUSE-Multi-Linux-Manager-Server-Azure-ltd Image SUSE-Multi-Linux-Manager-Server-BYOS-Azure Image SUSE-Multi-Linux-Manager-Server-BYOS-EC2 Image SUSE-Multi-Linux-Manager-Server-BYOS-GCE Image SUSE-Multi-Linux-Manager-Server-EC2-llc Image SUSE-Multi-Linux-Manager-Server-EC2-ltd Affected
SUSE Linux Enterprise Desktop 15 SP7 SUSE Linux Enterprise High Performance Computing 15 SP7 SUSE Linux Enterprise Server 15 SP7 SUSE Linux Enterprise Server for SAP Applications 15 SP7 Fixed
SUSE Linux Enterprise Module for Desktop Applications 15 SP7 Fixed
SUSE Linux Enterprise Module for Development Tools 15 SP7 Fixed
SUSE Linux Enterprise Server 15 SP6-LTSS Fixed

Share

CVE-2026-25969 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy