Impact
ImageMagick releases a memory allocation when parsing TXT files containing a texture attribute. If the ReadImage function succeeds but the subsequent GetTypeMetrics call fails, the allocated texture object is never freed, causing a memory leak each time a crafted TXT file with a texture attribute is processed. The flaw does not disclose sensitive data, but repeated exploitation can exhaust system memory, destabilizing the ImageMagick application and the host operating system. This vulnerability is a classic memory leak (CWE‑401) and also reflects a failure to release an unreleased resource (CWE‑772).
Affected Systems
The defect applies to all installations of the ImageMagick image processing suite with releases older than 7.1.2‑15 in the 7.x branch and 6.9.13‑40 in the 6.x branch. Users running those versions should verify that their installed packages have been updated to at least 7.1.2‑15 or 6.9.13‑40 where the memory leak has been addressed.
Risk and Exploitability
Because the leak occurs during routine TXT file parsing, an attacker must supply or force the processing of malicious TXT files that contain the texture attribute. The EPSS score is reported as <1 %, and the vulnerability is not listed in CISA’s KEV catalogue, indicating that publicly available exploits are currently unknown. The likely attack vector is the execution of crafted TXT files that trigger repeated processing, drawn from the description rather than stated directly in the advisory. No privileged execution or data disclosure is required. Nevertheless, repeated processing of such files can lead to memory exhaustion and denial of, presenting a moderate‑to‑high risk for untrusted image or text input. The CVSS score of 6.9 reflects these concerns.
OpenCVE Enrichment
Debian DLA
Debian DSA