GHSA-2gq3-ww97-wfjm: ImageMagick has a possible heap Use After Free vulnerability in its meta coder

February 25, 2026

A heap Use After Free vulnerability exists in the meta coder when an allocation fails and a single byte is written to a stale pointer.

==535852==ERROR: AddressSanitizer: heap-use-after-free on address 0x5210000088ff at pc 0x5581bacac14d bp 0x7ffdf667edf0 sp 0x7ffdf667ede0
WRITE of size 1 at 0x5210000088ff thread T0

References

github.com/ImageMagick/ImageMagick
github.com/ImageMagick/ImageMagick/commit/f5049954f12c6fcf090a776767526d2a4708d58b
github.com/ImageMagick/ImageMagick/security/advisories/GHSA-2gq3-ww97-wfjm
github.com/advisories/GHSA-2gq3-ww97-wfjm

Code Behaviors & Features

Detect and mitigate GHSA-2gq3-ww97-wfjm with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →