DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-6P22-Q7W5-33PG: CVE-2026-25969: Local Denial of Service via Memory Leak in ImageMagick ASHLAR Coder

#security #cve #cybersecurity #ghsa

CVE-2026-25969: Local Denial of Service via Memory Leak in ImageMagick ASHLAR Coder

Vulnerability ID: GHSA-6P22-Q7W5-33PG
CVSS Score: 3.3
Published: 2026-03-26

A memory management flaw in the ASHLAR tiling layout engine within ImageMagick and its Magick.NET wrapper results in a memory leak. Processing specially crafted images causes the application to consume excessive heap memory, ultimately leading to a local denial-of-service (DoS) condition via an Out-Of-Memory (OOM) state.

TL;DR

ImageMagick's ASHLAR coder fails to release memory when skipping images that do not fit tile constraints. Attackers can trigger this CWE-401 flaw to exhaust application memory and cause a denial of service.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-401
  • Attack Vector: Local (AV:L)
  • CVSS Score: 3.3
  • Impact: Denial of Service (DoS)
  • Exploit Status: PoC
  • Affected Component: ASHLAR Coder (coders/ashlar.c)

Affected Systems

  • Magick.NET (NuGet ecosystem)
  • ImageMagick (C/C++ core)
  • Magick.NET (All Variants): < 14.11.1 (Fixed in: 14.11.1)
  • Magick.NET-Q16-AnyCPU: < 14.10.3 (Fixed in: 14.10.3)
  • ImageMagick: >= 7.0.10-22, < 7.1.2-15 (Fixed in: 7.1.2-15)

Code Analysis

Commit: a253d1b

Explicitly release image memory during ASHLAR tiling constraint failures.

if (image->rows > (ashlar_info[i].height-ashlar_info[i].y))
{
  images[j]=DestroyImage(image);
  continue;
}
Enter fullscreen mode Exit fullscreen mode

Mitigation Strategies

  • Upgrade Magick.NET packages to version 14.11.1 or later
  • Upgrade ImageMagick core library to version 7.1.2-15 or later
  • Implement pre-processing dimension validation for user-uploaded images
  • Restrict or disable the ASHLAR coder functionality for untrusted inputs

Remediation Steps:

  1. Identify all projects and dependencies utilizing Magick.NET or ImageMagick.
  2. Update the NuGet package references for Magick.NET to 14.11.1.
  3. Recompile and deploy the updated application binaries.
  4. Monitor application memory usage during image processing to verify the leak is resolved.

References

Read the full report for GHSA-6P22-Q7W5-33PG on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)