ImageMagick/MagickNET, Memory Leak, GHSA-x928-4434-crqj (Low)

Listen to this Post

This vulnerability resides in the PNG encoder’s MNG image writing routine. When `WritePNGImage()` within `coders/png.c` processes a Multiple-image Network Graphics (MNG) frame, it allocates memory for various compression structures and color palettes. If the encoder encounters an error—such as an unsupported chunk type, a malformed MNG control structure, or a failure during png_write_row()—the function exits prematurely via an error path. However, this error path fails to invoke the necessary cleanup functions like `png_destroy_write_struct()` or `MagickFree()` on auxiliary buffers. Consequently, memory allocated for the `png_struct` and `png_info` objects, along with any row buffers and palette data, remains unreleased. Repeated attempts to process malicious or malformed MNG images cause this leaked memory to accumulate within the process’s heap, leading to unbounded memory consumption and eventual denial of service.
Platform: Magick.NET NuGet
Version: < 14.20.0
Vulnerability : Memory Leak
Severity: Low
date: Apr 13 2026

Prediction: Apr 14 2026

What Undercode Say:

Verify the installed Magick.NET package version
dotnet list package | grep Magick.NET
Reproduce the memory leak (requires a malformed MNG image)
for i in {1..1000}; do convert -size 100x100 xc:white mng:- | magick mng:- -quality 75 out.png; done
Monitor memory usage of the ImageMagick process
while true; do ps aux | grep [bash]agick | awk '{print $6}'; sleep 1; done
Patch to the fixed version
dotnet add package Magick.NET-Q16-AnyCPU --version 14.20.0

Exploit:

An attacker can craft a specially malformed MNG image that triggers the PNG encoder’s error path during writing. By repeatedly feeding this image to an application using Magick.NET (e.g., a web service that resizes user-supplied images), the attacker can cause the service’s memory usage to grow without bound, eventually leading to an out-of-memory condition and a denial of service.

Protection from this CVE

Update Magick.NET to version 14.20.0 or later. If immediate patching is not possible, implement input validation to reject MNG files from untrusted sources, or set hard memory limits on the processing pipeline to mitigate the impact of a leak.

Impact:

Denial of service due to memory exhaustion. The leak is low severity because it requires a specific error condition in the encoder and does not lead to code execution or privilege escalation. However, in a high-volume environment, repeated exploitation can render the service unavailable.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top