CVE-2026-25637: ImageMagick: Possible memory leak in ASHLAR encoder
A memory leak in the ASHLAR image writer allows an attacker to exhaust process memory by providing a crafted image that results in small objects that are allocated but never freed.
==880062== Memcheck, a memory error detector
==880062== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==880062== Using Valgrind-3.18.1 and LibVEX; rerun with -h for copyright info
==880062==
==880062==
==880062== HEAP SUMMARY:
==880062== in use at exit: 386,826 bytes in 696 blocks
==880062== total heap usage: 30,523 allocs, 29,827 frees, 21,803,756 bytes allocated
==880062==
==880062== LEAK SUMMARY:
==880062== definitely lost: 3,408 bytes in 3 blocks
==880062== indirectly lost: 88,885 bytes in 30 blocks
==880062== possibly lost: 140,944 bytes in 383 blocks
==880062== still reachable: 151,573 bytes in 259 blocks
==880062== suppressed: 0 bytes in 0 blocks
==880062== Reachable blocks (those to which a pointer was found) are not shown.
==880062== To see them, rerun with: --leak-check=full --show-leak-kinds=all
==880062==
==880062== For lists of detected and suppressed errors, rerun with: -s
==880062== ERROR SUMMARY: 2 errors from 2 contexts (suppressed: 0 from 0)
References
- github.com/ImageMagick/ImageMagick
- github.com/ImageMagick/ImageMagick/commit/30ce0e8efbd72fd6b50ed3a10ae22f57c8901137
- github.com/ImageMagick/ImageMagick/security/advisories/GHSA-gm37-qx7w-p258
- github.com/advisories/GHSA-gm37-qx7w-p258
- github.com/dlemstra/Magick.NET/releases/tag/14.10.3
- nvd.nist.gov/vuln/detail/CVE-2026-25637
Code Behaviors & Features
Detect and mitigate CVE-2026-25637 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →