CVE-2026-25637
Memory Leak in ImageMagick ASHLAR Writer Causes Memory Exhaustion
Publication date: 2026-02-24
Last updated on: 2026-02-27
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| imagemagick | imagemagick | to 7.1.2-15 (exc) |
| dlemstra | magick.net | to 14.10.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-401 | The product does not sufficiently track and release allocated memory after it has been used, making the memory unavailable for reallocation and reuse. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-25637 is a moderate severity memory leak vulnerability in the ASHLAR image encoder component of ImageMagick, an open-source image processing software. The issue occurs in versions prior to 7.1.2-15 when a specially crafted image causes the encoder to allocate small memory objects that are never freed. This leads to exhaustion of process memory over time.
Technically, the vulnerability is due to missing release of memory after its effective lifetime (CWE-401). The problem was that a DrawInfo pointer was cloned but not properly destroyed after use, causing memory to be leaked.
The vulnerability was fixed in version 7.1.2-15 by changing the code to delay cloning until after label validation and explicitly destroying the allocated memory after use.
How can this vulnerability impact me? :
This vulnerability can be exploited remotely without any privileges or user interaction, allowing an attacker to cause a memory leak in the ImageMagick process.
The impact is a low availability impact, meaning the attacker can exhaust process memory which may lead to degraded performance or denial of service of the application using ImageMagick.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability is a memory leak in the ASHLAR image writer component of ImageMagick that can be detected by monitoring the memory usage of the ImageMagick process when processing crafted images.
Technical detection can involve using memory analysis tools such as Valgrind Memcheck to observe heap allocations and frees, looking for memory that is allocated but not freed after processing images.
For example, running ImageMagick commands on suspicious or crafted images under Valgrind Memcheck can reveal the memory leak by showing definitely lost, indirectly lost, and possibly lost bytes.
- Use Valgrind Memcheck to run ImageMagick processing commands, e.g., `valgrind --leak-check=full magick convert crafted_image.png output.png`.
- Monitor process memory usage during image processing using system tools like `top`, `htop`, or `ps` to detect abnormal memory growth.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade ImageMagick to version 7.1.2-15 or later, where the memory leak vulnerability in the ASHLAR image writer has been fixed.
The fix involves proper management and destruction of the DrawInfo pointer used during image annotation, preventing memory from being leaked.
Until the upgrade can be applied, avoid processing untrusted or crafted images that could trigger the memory leak.