{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25637", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-04T05:15:41.790Z", "datePublished": "2026-02-24T00:48:37.892Z", "dateUpdated": "2026-02-26T15:01:32.626Z"}, "containers": {"cna": {"title": "ImageMagick: Possible memory leak in ASHLAR encoder", "problemTypes": [{"descriptions": [{"cweId": "CWE-401", "lang": "en", "description": "CWE-401: Missing Release of Memory after Effective Lifetime", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-gm37-qx7w-p258", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-gm37-qx7w-p258"}, {"name": "https://github.com/ImageMagick/ImageMagick/commit/30ce0e8efbd72fd6b50ed3a10ae22f57c8901137", "tags": ["x_refsource_MISC"], "url": "https://github.com/ImageMagick/ImageMagick/commit/30ce0e8efbd72fd6b50ed3a10ae22f57c8901137"}, {"name": "https://github.com/dlemstra/Magick.NET/releases/tag/14.10.3", "tags": ["x_refsource_MISC"], "url": "https://github.com/dlemstra/Magick.NET/releases/tag/14.10.3"}], "affected": [{"vendor": "ImageMagick", "product": "ImageMagick", "versions": [{"version": "< 7.1.2-15", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-24T00:48:37.892Z"}, "descriptions": [{"lang": "en", "value": "ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to version 7.1.2-15, a memory leak in the ASHLAR image writer allows an attacker to exhaust process memory by providing a crafted image that results in small objects that are allocated but never freed. Version 7.1.2-15 contains a patch."}], "source": {"advisory": "GHSA-gm37-qx7w-p258", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-26T15:00:33.295755Z", "id": "CVE-2026-25637", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-26T15:01:32.626Z"}}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:imagemagick:imagemagick:*:*:*:*:*:*:*:*", "matchCriteriaId": "B89F5759-9F8D-4C89-8D35-0FCE2AE715A4", "versionEndExcluding": "7.1.2-15", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:dlemstra:magick.net:*:*:*:*:*:*:*:*", "matchCriteriaId": "F5891403-B079-4CD7-BA2A-361146A2F475", "versionEndExcluding": "14.10.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to version 7.1.2-15, a memory leak in the ASHLAR image writer allows an attacker to exhaust process memory by providing a crafted image that results in small objects that are allocated but never freed. Version 7.1.2-15 contains a patch."}, {"lang": "es", "value": "ImageMagick es un software libre y de c\u00f3digo abierto utilizado para editar y manipular im\u00e1genes digitales. Antes de la versi\u00f3n 7.1.2-15, una fuga de memoria en el escritor de im\u00e1genes ASHLAR permite a un atacante agotar la memoria del proceso al proporcionar una imagen manipulada que resulta en objetos peque\u00f1os que se asignan pero nunca se liberan. La versi\u00f3n 7.1.2-15 contiene un parche."}], "id": "CVE-2026-25637", "lastModified": "2026-02-27T14:32:59.663", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-24T01:16:13.623", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/ImageMagick/ImageMagick/commit/30ce0e8efbd72fd6b50ed3a10ae22f57c8901137"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-gm37-qx7w-p258"}, {"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/dlemstra/Magick.NET/releases/tag/14.10.3"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-401"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "ImageMagick: ImageMagick: Denial of Service via crafted image due to memory leak", "id": "2442114", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2442114"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "status": "draft"}, "cwe": "CWE-772", "details": ["A flaw was found in ImageMagick. A remote attacker can exploit a memory leak in the ASHLAR image writer by providing a specially crafted image. This vulnerability causes small objects to be allocated but never freed, leading to the exhaustion of process memory and a Denial of Service (DoS)."], "mitigation": {"lang": "en:us", "value": "To mitigate this issue, restrict ImageMagick's processing of untrusted or unverified image files. Where possible, process images from unverified sources within a sandboxed environment to contain potential resource exhaustion. Additionally, ensure that applications utilizing ImageMagick implement robust input validation for all image inputs."}, "name": "CVE-2026-25637", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "ImageMagick", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "ImageMagick", "product_name": "Red Hat Enterprise Linux 7"}], "public_date": "2026-02-24T00:48:37Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-25637\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-25637\nhttps://github.com/ImageMagick/ImageMagick/commit/30ce0e8efbd72fd6b50ed3a10ae22f57c8901137\nhttps://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-gm37-qx7w-p258\nhttps://github.com/dlemstra/Magick.NET/releases/tag/14.10.3"], "statement": "The impact of this flaw is MODERATE. A memory leak in the ASHLAR image writer component of ImageMagick can be triggered by processing a specially crafted image. This could lead to resource exhaustion and denial of service. This affects Red Hat Enterprise Linux 6 ELS and 7 ELS.", "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,7.1.2-15)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "ImageMagick", "source": "cna", "vendor": "ImageMagick"}, "product": "imagemagick", "vendor": "imagemagick"}], "analysis": {"en": {"generated_at": "2026-04-17T16:03:34.016289+00:00", "value": {"mitigation_remediation": ["Upgrade ImageMagick to version 7.1.2\u201115 or later, which includes the fix for the ASHLAR memory leak.", "Upgrade any dependent libraries, such as Magick.NET, to a version that incorporates the patched ImageMagick code (e.g., 14.10.3 or newer).", "If the ASHLAR writer is not needed, reconfigure the application to disable or avoid its use for processing untrusted images."], "summary": {"action": "Apply Patch", "impact": "Memory exhaustion leading to potential denial of service"}, "threat_synthesis": {"affected_systems": "The vulnerability affects all installations of ImageMagick prior to version 7.1.2\u201115. It also impacts applications that embed ImageMagick libraries, such as Magick.NET, when using older versions. Updating to ImageMagick\u202f7.1.2\u201115 or later, or to Magick.NET\u202f14.10.3 or newer, removes the flaw.", "description_and_impact": "ImageMagick contains a memory leak in the ASHLAR image writer, allowing crafted images to trigger repeated allocations of small objects that are never freed. The resulting exhaustion of process memory can cause the application or the host system to become unresponsive, effectively a denial\u2011of\u2011service condition. The weakness is classified as CWE\u2011401 for uninitialized memory deallocation and CWE\u2011772 for missing release of allocated memory after long\u2011term usage.", "risk_and_exploitability": "The CVSS score of 5.3 places the issue in the medium severity range, but the EPSS score of less than 1% indicates a very low probability of exploitation in observed data. The flaw is not listed in the KEV catalog. Exploitation requires the attacker to supply a specially crafted image that employs the ASHLAR image writer. If the affected application processes images from untrusted sources\u2014such as a web service\u2014remote attackers can trigger memory exhaustion. In environments where image input is strictly controlled, the risk is considerably lower."}}}}, "created": "2026-02-24T09:54:12.490221+00:00", "updated": "2026-04-17T16:15:22.636122+00:00", "vendors": ["imagemagick", "imagemagick$PRODUCT$imagemagick"]}