CVE-2026-25637Missing Release of Memory after Effective Lifetime in Imagemagick

CWE-401Missing Release of Memory after Effective LifetimeCWE-772Missing Release of Resource after Effective Lifetime7 documents6 sources
Severity
5.3MEDIUMNVD
EPSS
0.1%
top 82.69%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
ImagemagickDlemstra Magick.netDebian Imagemagick
Timeline
PublishedFeb 24

Description

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to version 7.1.2-15, a memory leak in the ASHLAR image writer allows an attacker to exhaust process memory by providing a crafted image that results in small objects that are allocated but never freed. Version 7.1.2-15 contains a patch.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:LExploitability: 3.9 | Impact: 1.4

Affected Packages4 packages

debiandebian/imagemagick< imagemagick 8:7.1.2.15+dfsg1-1 (forky)
NVDimagemagick/imagemagick< 7.1.2-15
Debianimagemagick/imagemagick< 8:7.1.1.43+dfsg1-1+deb13u6+1
NVDdlemstra/magick.net< 14.10.3

Patches

Patch: github.com

🔴Vulnerability Details

3
OSV
CVE-2026-25637: ImageMagick is free and open-source software used for editing and manipulating digital images2026-02-24
GHSA
ImageMagick: Possible memory leak in ASHLAR encoder2026-02-24
OSV
ImageMagick: Possible memory leak in ASHLAR encoder2026-02-24

📋Vendor Advisories

2
Red Hat
ImageMagick: ImageMagick: Denial of Service via crafted image due to memory leak2026-02-24
Debian
CVE-2026-25637: imagemagick - ImageMagick is free and open-source software used for editing and manipulating d...2026

🕵️Threat Intelligence

1
Wiz
CVE-2026-25637 Impact, Exploitability, and Mitigation Steps | Wiz