Description
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to version 7.1.2-15, a memory leak in the ASHLAR image writer allows an attacker to exhaust process memory by providing a crafted image that results in small objects that are allocated but never freed. Version 7.1.2-15 contains a patch.
Published: 2026-02-24
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Memory exhaustion leading to potential denial of service
Action: Apply Patch
AI Analysis

Impact

ImageMagick contains a memory leak in the ASHLAR image writer, allowing crafted images to trigger repeated allocations of small objects that are never freed. The resulting exhaustion of process memory can cause the application or the host system to become unresponsive, effectively a denial‑of‑service condition. The weakness is classified as CWE‑401 for uninitialized memory deallocation and CWE‑772 for missing release of allocated memory after long‑term usage.

Affected Systems

The vulnerability affects all installations of ImageMagick prior to version 7.1.2‑15. It also impacts applications that embed ImageMagick libraries, such as Magick.NET, when using older versions. Updating to ImageMagick 7.1.2‑15 or later, or to Magick.NET 14.10.3 or newer, removes the flaw.

Risk and Exploitability

The CVSS score of 5.3 places the issue in the medium severity range, but the EPSS score of less than 1% indicates a very low probability of exploitation in observed data. The flaw is not listed in the KEV catalog. Exploitation requires the attacker to supply a specially crafted image that employs the ASHLAR image writer. If the affected application processes images from untrusted sources—such as a web service—remote attackers can trigger memory exhaustion. In environments where image input is strictly controlled, the risk is considerably lower.

Generated by OpenCVE AI on April 17, 2026 at 16:03 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade ImageMagick to version 7.1.2‑15 or later, which includes the fix for the ASHLAR memory leak.
  • Upgrade any dependent libraries, such as Magick.NET, to a version that incorporates the patched ImageMagick code (e.g., 14.10.3 or newer).
  • If the ASHLAR writer is not needed, reconfigure the application to disable or avoid its use for processing untrusted images.

Generated by OpenCVE AI on April 17, 2026 at 16:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6158-1 imagemagick security update
Github GHSA Github GHSA GHSA-gm37-qx7w-p258 ImageMagick: Possible memory leak in ASHLAR encoder
History

Fri, 27 Feb 2026 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Dlemstra
Dlemstra magick.net
CPEs cpe:2.3:a:dlemstra:magick.net:*:*:*:*:*:*:*:*
cpe:2.3:a:imagemagick:imagemagick:*:*:*:*:*:*:*:*
Vendors & Products Dlemstra
Dlemstra magick.net

Tue, 24 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-772
References
Metrics threat_severity

None

 threat_severity

Moderate

Tue, 24 Feb 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Imagemagick
Imagemagick imagemagick
Vendors & Products Imagemagick
Imagemagick imagemagick

Tue, 24 Feb 2026 01:15:00 +0000

Type Values Removed Values Added
Description ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to version 7.1.2-15, a memory leak in the ASHLAR image writer allows an attacker to exhaust process memory by providing a crafted image that results in small objects that are allocated but never freed. Version 7.1.2-15 contains a patch.
Title ImageMagick: Possible memory leak in ASHLAR encoder
Weaknesses CWE-401
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

Subscriptions

Dlemstra Magick.net
Imagemagick Imagemagick
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-26T15:01:32.626Z

Reserved: 2026-02-04T05:15:41.790Z

Link: CVE-2026-25637

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-02-24T01:16:13.623

Modified: 2026-02-27T14:32:59.663

Link: CVE-2026-25637

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-02-24T00:48:37Z

Links: CVE-2026-25637 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T16:15:22Z

Weaknesses