CVE-2026-25969 - Vulnerability Details

- ImageMagick has Memory Leak in coders/ashlar.c

Description

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to version 7.1.2-15, a memory leak exists in `coders/ashlar.c`. The `WriteASHLARImage` allocates a structure. However, when an exception is thrown, the allocated memory is not properly released, resulting in a potential memory leak. Version 7.1.2-15 contains a patch.

Published: 2026-02-24

Score: 5.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability arises from a memory leak in ImageMagick’s ashlar coder when the WriteASHLARImage routine allocates resources that are not freed if an exception occurs. Although the flaw does not grant direct code execution, repeated or repeated processing of crafted images can consume system memory, potentially exhausting available resources and causing application or system downtime.

Affected Systems

ImageMagick releases prior to version 7.1.2-15 are affected. The flaw is present in the main ImageMagick library used for image conversion tasks. The associated CPE string matches the ImageMagick software, indicating all installed instances of the library before the patch are vulnerable.

Risk and Exploitability

With a CVSS score of 5.3 and an EPSS below 1%, the probability of exploitation is low, and the flaw is not currently listed in the CISA‑KEV catalog. If an attacker can supply images that trigger the exception path, the memory leak could gradually consume system resources. The attack vector is inferred to be local or remote image‑processing requests, depending on how the ImageMagick binary is exposed. The lack of an immediate exploit makes this a medium‑risk issue primarily of resource exhaustion rather than a high‑severity security breach.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

ImageMagick

affected

Version	Status	Constraints
`< 7.1.2-15`	affected	—

Configuration 1 [-]

cpe:2.3:a:imagemagick:imagemagick:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Imagemagick

100%

Version	Status	Scheme	Platform
`[0,7.1.2-15)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the ImageMagick installation to version 7.1.2-15 or later, which contains the fix that correctly frees allocated memory on exception.
If an immediate upgrade is not possible, apply the corrective patch or instructions provided in the vendor advisory to ensure memory is released when exceptions occur.
After applying the patch or upgrade, monitor system memory usage and restart affected services if abnormal memory growth is observed, until the fix is fully validated.

Generated by OpenCVE AI on April 17, 2026 at 15:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DSA	DSA-6158-1	imagemagick security update
Github GHSA	GHSA-xgm3-v4r9-wfgm	Image Magick has a Memory Leak in coders/ashlar.c

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00057.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-xgm3-v4r9-wfgm
https://nvd.nist.gov/vuln/detail/CVE-2026-25969
https://www.cve.org/CVERecord?id=CVE-2026-25969

History

Wed, 25 Feb 2026 12:00:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:imagemagick:imagemagick::::::::

Tue, 24 Feb 2026 12:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-772
References		https://nvd.nist.gov/vuln/detail/CVE-2026-25969 https://www.cve.org/CVERecord?id=CVE-2026-25969
Metrics	threat_severity `None`	threat_severity `Moderate`

Tue, 24 Feb 2026 10:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Imagemagick Imagemagick imagemagick
Vendors & Products		Imagemagick Imagemagick imagemagick

Tue, 24 Feb 2026 02:00:00 +0000

Type	Values Removed	Values Added
Description		ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to version 7.1.2-15, a memory leak exists in `coders/ashlar.c`. The `WriteASHLARImage` allocates a structure. However, when an exception is thrown, the allocated memory is not properly released, resulting in a potential memory leak. Version 7.1.2-15 contains a patch.
Title		ImageMagick has Memory Leak in coders/ashlar.c
Weaknesses		CWE-401
References		https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-xgm3-v4r9-wfgm
Metrics		cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}`

Subscriptions

Imagemagick Imagemagick

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-02-24T01:33:00.362Z

Updated: 2026-02-26T21:33:39.566Z

Reserved: 2026-02-09T17:13:54.067Z

Link: CVE-2026-25969

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2026-02-24T02:16:01.807

Modified: 2026-02-25T11:57:35.757

Link: CVE-2026-25969

Redhat

Severity : Moderate

Publid Date: 2026-02-24T01:33:00Z

Links: CVE-2026-25969 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-17T16:00:11Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object