GHSA-3j4x-rwrx-xxj9: mageMagick has a possible use-after-free write in its PDB decoder

February 25, 2026

A use-after-free vulnerability exists in the PDB decoder that will use a stale pointer when a memory allocation fails and that could result in a crash or a single zero byte write.

==4033155==ERROR: AddressSanitizer: UNKNOWN SIGNAL on unknown address 0x000000000000 (pc 0x5589c1971b24 bp 0x7ffdcc7ae2d0 sp 0x7ffdcc7adb20 T0)

==4034812==ERROR: AddressSanitizer: heap-use-after-free on address 0x7f099e9f7800 at pc 0x5605d909ab20 bp 0x7ffe52045b50 sp 0x7ffe52045b40
WRITE of size 1 at 0x7f099e9f7800 thread T0

References

github.com/ImageMagick/ImageMagick
github.com/ImageMagick/ImageMagick/commit/168ffe18def968f886c023146a478897866fd621
github.com/ImageMagick/ImageMagick/security/advisories/GHSA-3j4x-rwrx-xxj9
github.com/advisories/GHSA-3j4x-rwrx-xxj9
github.com/dlemstra/Magick.NET/releases/tag/14.10.3

Code Behaviors & Features

Detect and mitigate GHSA-3j4x-rwrx-xxj9 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →