CWE-763
AllowedRelease of Invalid Pointer or Reference
Abstraction: Base · Status: Incomplete
The product attempts to return a memory resource to the system, but it calls the wrong release function or calls the appropriate release function incorrectly.
109 vulnerabilities reference this CWE, most recent first.
GHSA-M86Q-CGJ9-94C8
Vulnerability from github – Published: 2026-06-24 18:32 – Updated: 2026-06-30 03:37In the Linux kernel, the following vulnerability has been resolved:
tipc: fix double-free in tipc_buf_append()
tipc_msg_validate() can potentially reallocate the skb it is validating, freeing the old one. In tipc_buf_append(), it was being called with a pointer to a local variable which was a copy of the caller's skb pointer.
If the skb was reallocated and validation subsequently failed, the error handling path would free the original skb pointer, which had already been freed, leading to double-free.
Fix this by checking if head now points to a newly allocated reassembled skb. If it does, reassign *headbuf for later freeing operations.
{
"affected": [],
"aliases": [
"CVE-2026-52993"
],
"database_specific": {
"cwe_ids": [
"CWE-415",
"CWE-763"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-24T17:17:10Z",
"severity": "CRITICAL"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\ntipc: fix double-free in tipc_buf_append()\n\ntipc_msg_validate() can potentially reallocate the skb it is validating,\nfreeing the old one. In tipc_buf_append(), it was being called with a\npointer to a local variable which was a copy of the caller\u0027s skb\npointer.\n\nIf the skb was reallocated and validation subsequently failed, the error\nhandling path would free the original skb pointer, which had already\nbeen freed, leading to double-free.\n\nFix this by checking if head now points to a newly allocated reassembled\nskb. If it does, reassign *headbuf for later freeing operations.",
"id": "GHSA-m86q-cgj9-94c8",
"modified": "2026-06-30T03:37:13Z",
"published": "2026-06-24T18:32:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-52993"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2026-52993"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2492437"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/0274f24485fc38032d4093e463dc3ff5c7a667c9"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/1d5e589055880fae229e229e1929e087dbe08cf3"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/29940fff14110ca48c5ccc168d121665b51bb778"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/4d104882bc815d4ec666ace9155f5f52715879a6"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/4ee4deadaae7cb2e3d53af0fc889cf92a73413c0"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/a438975a6dcdbd70865978c021650d1485586f0b"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/d293ca716e7d5dffdaecaf6b9b2f857a33dc3d3a"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/d3556656c6daebf8def751c7e71d11dd0a180d24"
},
{
"type": "WEB",
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-52993.json"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-MR4J-XFV9-W967
Vulnerability from github – Published: 2025-05-19 09:31 – Updated: 2025-05-19 09:31V-SFT v6.2.5.0 and earlier contains an issue with free of pointer not at start of buffer in VS6EditData.dll!CWinFontInf::WinFontMsgCheck function. Opening specially crafted V7 or V8 files may lead to crash, information disclosure, and arbitrary code execution.
{
"affected": [],
"aliases": [
"CVE-2025-47749"
],
"database_specific": {
"cwe_ids": [
"CWE-761",
"CWE-763"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-19T08:15:22Z",
"severity": "HIGH"
},
"details": "V-SFT v6.2.5.0 and earlier contains an issue with free of pointer not at start of buffer in VS6EditData.dll!CWinFontInf::WinFontMsgCheck function. Opening specially crafted V7 or V8 files may lead to crash, information disclosure, and arbitrary code execution.",
"id": "GHSA-mr4j-xfv9-w967",
"modified": "2025-05-19T09:31:09Z",
"published": "2025-05-19T09:31:09Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-47749"
},
{
"type": "WEB",
"url": "https://jvn.jp/en/vu/JVNVU97228144"
},
{
"type": "WEB",
"url": "https://monitouch.fujielectric.com/site/download-e/09vsft6_inf/Search.php"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-PHVG-GC27-GJWP
Vulnerability from github – Published: 2022-05-24 19:20 – Updated: 2022-05-24 19:20An attacker-controlled pointer free in Busybox's hush applet leads to denial of service and possible code execution when processing a crafted shell command, due to the shell mishandling the &&& string. This may be used for remote code execution under rare conditions of filtered command input.
{
"affected": [],
"aliases": [
"CVE-2021-42377"
],
"database_specific": {
"cwe_ids": [
"CWE-590",
"CWE-763"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-11-15T21:15:00Z",
"severity": "CRITICAL"
},
"details": "An attacker-controlled pointer free in Busybox\u0027s hush applet leads to denial of service and possible code execution when processing a crafted shell command, due to the shell mishandling the \u0026\u0026\u0026 string. This may be used for remote code execution under rare conditions of filtered command input.",
"id": "GHSA-phvg-gc27-gjwp",
"modified": "2022-05-24T19:20:51Z",
"published": "2022-05-24T19:20:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-42377"
},
{
"type": "WEB",
"url": "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog"
},
{
"type": "WEB",
"url": "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20211223-0002"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-PPV5-592P-G5Q4
Vulnerability from github – Published: 2026-04-28 12:31 – Updated: 2026-07-09 15:32Mismatched Memory Management Routines vulnerability in Apache Thrift c_glib language bindings.
This issue affects Apache Thrift: before 0.23.0.
Users are recommended to upgrade to version 0.23.0, which fixes the issue.
Description: Specially crafted requests can crash an c_glib-based Thrift server with a clean but fatal "free(): invalid pointer" error message.
{
"affected": [],
"aliases": [
"CVE-2025-48431"
],
"database_specific": {
"cwe_ids": [
"CWE-762",
"CWE-763"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-28T10:16:02Z",
"severity": "HIGH"
},
"details": "Mismatched Memory Management Routines vulnerability in Apache Thrift c_glib language bindings.\n\nThis issue affects Apache Thrift: before 0.23.0.\n\nUsers are recommended to upgrade to version 0.23.0, which fixes the issue.\n\nDescription: Specially crafted requests can crash an c_glib-based Thrift server with a clean but fatal \"free(): invalid pointer\" error message.",
"id": "GHSA-ppv5-592p-g5q4",
"modified": "2026-07-09T15:32:00Z",
"published": "2026-04-28T12:31:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48431"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:24539"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:25273"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:27126"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:28010"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:36882"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2025-48431"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2463410"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/lb4j0zyd5f3g36cos0wql925przpnwql"
},
{
"type": "WEB",
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2025/cve-2025-48431.json"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2026/04/28/8"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-PQJQ-MHW9-RVW9
Vulnerability from github – Published: 2022-10-20 12:00 – Updated: 2022-10-23 12:00When a BIG-IP Advanced WAF/ASM security policy is configured on a virtual server, undisclosed requests can cause the bd process to terminate.
{
"affected": [],
"aliases": [
"CVE-2022-41691"
],
"database_specific": {
"cwe_ids": [
"CWE-763"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-10-19T22:15:00Z",
"severity": "HIGH"
},
"details": "When a BIG-IP Advanced WAF/ASM security policy is configured on a virtual server, undisclosed requests can cause the bd process to terminate.",
"id": "GHSA-pqjq-mhw9-rvw9",
"modified": "2022-10-23T12:00:26Z",
"published": "2022-10-20T12:00:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41691"
},
{
"type": "WEB",
"url": "https://support.f5.com/csp/article/K02694732"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-PX5H-P825-XFMC
Vulnerability from github – Published: 2022-05-13 01:11 – Updated: 2022-05-13 01:11lib/gssapi/spnego/spnego_mech.c in MIT Kerberos 5 (aka krb5) before 1.14 relies on an inappropriate context handle, which allows remote attackers to cause a denial of service (incorrect pointer read and process crash) via a crafted SPNEGO packet that is mishandled during a gss_inquire_context call.
{
"affected": [],
"aliases": [
"CVE-2015-2695"
],
"database_specific": {
"cwe_ids": [
"CWE-763"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2015-11-09T03:59:00Z",
"severity": "MODERATE"
},
"details": "lib/gssapi/spnego/spnego_mech.c in MIT Kerberos 5 (aka krb5) before 1.14 relies on an inappropriate context handle, which allows remote attackers to cause a denial of service (incorrect pointer read and process crash) via a crafted SPNEGO packet that is mishandled during a gss_inquire_context call.",
"id": "GHSA-px5h-p825-xfmc",
"modified": "2022-05-13T01:11:50Z",
"published": "2022-05-13T01:11:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-2695"
},
{
"type": "WEB",
"url": "https://github.com/krb5/krb5/commit/b51b33f2bc5d1497ddf5bd107f791c101695000d"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/201611-14"
},
{
"type": "WEB",
"url": "http://krbdev.mit.edu/rt/Ticket/Display.html?id=8244"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2015-11/msg00006.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2015-11/msg00007.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2015-11/msg00014.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2015-11/msg00022.html"
},
{
"type": "WEB",
"url": "http://www.debian.org/security/2015/dsa-3395"
},
{
"type": "WEB",
"url": "http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/90687"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1034084"
},
{
"type": "WEB",
"url": "http://www.ubuntu.com/usn/USN-2810-1"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-QGHJ-PFV2-Q8GW
Vulnerability from github – Published: 2022-11-01 19:00 – Updated: 2022-11-03 19:00Xenstore: Guests can crash xenstored Due to a bug in the fix of XSA-115 a malicious guest can cause xenstored to use a wrong pointer during node creation in an error path, resulting in a crash of xenstored or a memory corruption in xenstored causing further damage. Entering the error path can be controlled by the guest e.g. by exceeding the quota value of maximum nodes per domain.
{
"affected": [],
"aliases": [
"CVE-2022-42309"
],
"database_specific": {
"cwe_ids": [
"CWE-763"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-11-01T13:15:00Z",
"severity": "HIGH"
},
"details": "Xenstore: Guests can crash xenstored Due to a bug in the fix of XSA-115 a malicious guest can cause xenstored to use a wrong pointer during node creation in an error path, resulting in a crash of xenstored or a memory corruption in xenstored causing further damage. Entering the error path can be controlled by the guest e.g. by exceeding the quota value of maximum nodes per domain.",
"id": "GHSA-qghj-pfv2-q8gw",
"modified": "2022-11-03T19:00:27Z",
"published": "2022-11-01T19:00:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42309"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YTMITQBGC23MSDHUCAPCVGLMVXIBXQTQ"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YZVXG7OOOXCX6VIPEMLFDPIPUTFAYWPE"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZLI2NPNEH7CNJO3VZGQNOI4M4EWLNKPZ"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YTMITQBGC23MSDHUCAPCVGLMVXIBXQTQ"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YZVXG7OOOXCX6VIPEMLFDPIPUTFAYWPE"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZLI2NPNEH7CNJO3VZGQNOI4M4EWLNKPZ"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202402-07"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2022/dsa-5272"
},
{
"type": "WEB",
"url": "https://xenbits.xenproject.org/xsa/advisory-414.txt"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2022/11/01/4"
},
{
"type": "WEB",
"url": "http://xenbits.xen.org/xsa/advisory-414.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-QJVF-9Q24-J5QM
Vulnerability from github – Published: 2025-12-15 18:30 – Updated: 2025-12-15 18:30A security issue exists due to improper handling of malformed CIP packets during fuzzing. The controller enters a hard fault with solid red Fault LED and becomes unresponsive. Upon power cycle, the controller will enter recoverable fault where the MS LED and Fault LED become flashing red and reports fault code 0xF019. To recover, clear the fault.
{
"affected": [],
"aliases": [
"CVE-2025-13824"
],
"database_specific": {
"cwe_ids": [
"CWE-763"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-12-15T16:15:50Z",
"severity": "HIGH"
},
"details": "A security issue exists due to improper handling of malformed CIP packets during fuzzing. The controller enters a hard fault with solid red Fault LED and becomes unresponsive. Upon power cycle, the controller will enter recoverable fault where the MS LED and Fault LED become flashing red and reports fault code\u202f0xF019. To recover,\u202fclear the fault.",
"id": "GHSA-qjvf-9q24-j5qm",
"modified": "2025-12-15T18:30:39Z",
"published": "2025-12-15T18:30:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13824"
},
{
"type": "WEB",
"url": "https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1766.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-QM3X-73PX-64CM
Vulnerability from github – Published: 2025-05-13 18:30 – Updated: 2025-05-13 18:30Release of invalid pointer or reference in Microsoft Office Excel allows an unauthorized attacker to execute code locally.
{
"affected": [],
"aliases": [
"CVE-2025-30379"
],
"database_specific": {
"cwe_ids": [
"CWE-763"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-13T17:16:00Z",
"severity": "HIGH"
},
"details": "Release of invalid pointer or reference in Microsoft Office Excel allows an unauthorized attacker to execute code locally.",
"id": "GHSA-qm3x-73px-64cm",
"modified": "2025-05-13T18:30:56Z",
"published": "2025-05-13T18:30:56Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-30379"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-30379"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-QP59-X883-77QV
Vulnerability from github – Published: 2026-01-21 01:06 – Updated: 2026-01-21 01:06Summary
A memory leak vulnerability exists in the LoadOpenCLDeviceBenchmark() function in MagickCore/opencl.c. When parsing a malformed OpenCL device profile XML file that contains <device elements without proper /> closing tags, the function fails to release allocated memory for string members (platform_name, vendor_name, name, version), leading to memory leaks that could result in resource exhaustion.
Affected Version: ImageMagick 7.1.2-12 and possibly earlier versions
Details
The vulnerability is located in MagickCore/opencl.c, function LoadOpenCLDeviceBenchmark() (lines 754-911).
Root Cause Analysis:
- When a
<devicetag is encountered, aMagickCLDeviceBenchmarkstructure is allocated (line 807-812) - String attributes (
platform,vendor,name,version) are allocated viaConstantString()(lines 878, 885, 898, 900) - These strings are only freed when a
/>closing tag is encountered (lines 840-849) - At function exit (lines 908-910), only the
device_benchmarkstructure is freed, but its member variables are not freed if/>was never parsed
Vulnerable Code (lines 908-910):
token=(char *) RelinquishMagickMemory(token);
device_benchmark=(MagickCLDeviceBenchmark *) RelinquishMagickMemory(
device_benchmark); // BUG: members (platform_name, vendor_name, name, version) not freed!
Correct cleanup (only executed when /> is found, lines 840-849):
device_benchmark->platform_name=(char *) RelinquishMagickMemory(device_benchmark->platform_name);
device_benchmark->vendor_name=(char *) RelinquishMagickMemory(device_benchmark->vendor_name);
device_benchmark->name=(char *) RelinquishMagickMemory(device_benchmark->name);
device_benchmark->version=(char *) RelinquishMagickMemory(device_benchmark->version);
device_benchmark=(MagickCLDeviceBenchmark *) RelinquishMagickMemory(device_benchmark);
PoC
Environment:
- OS: Ubuntu 22.04.5 LTS (Linux 6.8.0-87-generic x86_64)
- Compiler: GCC 11.4.0
- ImageMagick: 7.1.2-13 (commit a52c1b402be08ef8ae193f28ac5b2e120f2fa26f)
Step 1: Build ImageMagick with AddressSanitizer
cd ImageMagick
./configure \
CFLAGS="-g -O0 -fsanitize=address -fno-omit-frame-pointer" \
CXXFLAGS="-g -O0 -fsanitize=address -fno-omit-frame-pointer" \
LDFLAGS="-fsanitize=address" \
--disable-openmp
make -j$(nproc)
Step 2: Create malformed XML file
Step 3: Place file in OpenCL cache directory
mkdir -p ~/.cache/ImageMagick
cp malformed_opencl_profile.xml ~/.cache/ImageMagick/ImagemagickOpenCLDeviceProfile.xml
Step 4: Run ImageMagick with leak detection
export ASAN_OPTIONS="detect_leaks=1:symbolize=1"
./utilities/magick -size 100x100 xc:red output.png
ASAN Output:
=================================================================
==2543490==ERROR: LeakSanitizer: detected memory leaks
Direct leak of 96 byte(s) in 2 object(s) allocated from:
#0 ... in AcquireMagickMemory MagickCore/memory.c:536
#1 ... in LoadOpenCLDeviceBenchmark MagickCore/opencl.c:807
Direct leak of 16 byte(s) in 1 object(s) allocated from:
#0 ... in ConstantString MagickCore/string.c:692
#1 ... in LoadOpenCLDeviceBenchmark MagickCore/opencl.c:878 ← name
Direct leak of 14 byte(s) in 1 object(s) allocated from:
#0 ... in ConstantString MagickCore/string.c:692
#1 ... in LoadOpenCLDeviceBenchmark MagickCore/opencl.c:885 ← platform_name
Direct leak of 14 byte(s) in 1 object(s) allocated from:
#0 ... in ConstantString MagickCore/string.c:692
#1 ... in LoadOpenCLDeviceBenchmark MagickCore/opencl.c:898 ← vendor_name
Direct leak of 15 byte(s) in 1 object(s) allocated from:
#0 ... in ConstantString MagickCore/string.c:692
#1 ... in LoadOpenCLDeviceBenchmark MagickCore/opencl.c:900 ← version
SUMMARY: AddressSanitizer: 203 byte(s) leaked in 18 allocation(s).
Impact
Vulnerability Type: CWE-401 (Missing Release of Memory after Effective Lifetime)
Severity: Low
Who is impacted:
- Users who have OpenCL enabled in ImageMagick
- Systems where an attacker can place or modify files in the OpenCL cache directory (~/.cache/ImageMagick/)
- Long-running ImageMagick processes or services that repeatedly initialize OpenCL
Potential consequences: - Memory exhaustion over time if the malformed configuration is repeatedly loaded - Denial of Service (DoS) in resource-constrained environments
Attack Vector: Local - requires write access to the user's OpenCL cache directory
{
"affected": [
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q8-x64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.10.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q8-arm64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.10.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q8-x86"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.10.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q8-OpenMP-x64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.10.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q8-OpenMP-arm64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.10.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-x64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.10.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-arm64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.10.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-x86"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.10.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-OpenMP-x64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.10.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-OpenMP-arm64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.10.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-OpenMP-x86"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.10.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-HDRI-x64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.10.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-HDRI-arm64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.10.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-HDRI-x86"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.10.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-HDRI-OpenMP-x64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.10.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-HDRI-OpenMP-arm64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.10.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q8-AnyCPU"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.10.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-AnyCPU"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.10.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-HDRI-AnyCPU"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.10.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-763"
],
"github_reviewed": true,
"github_reviewed_at": "2026-01-21T01:06:34Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Summary\n\nA memory leak vulnerability exists in the `LoadOpenCLDeviceBenchmark()` function in `MagickCore/opencl.c`. When parsing a malformed OpenCL device profile XML file that contains `\u003cdevice` elements without proper `/\u003e` closing tags, the function fails to release allocated memory for string members (`platform_name`, `vendor_name`, `name`, `version`), leading to memory leaks that could result in resource exhaustion.\n\n**Affected Version**: ImageMagick 7.1.2-12 and possibly earlier versions\n\n---\n\n### Details\n\nThe vulnerability is located in `MagickCore/opencl.c`, function `LoadOpenCLDeviceBenchmark()` (lines 754-911).\n\n**Root Cause Analysis:**\n\n1. When a `\u003cdevice` tag is encountered, a `MagickCLDeviceBenchmark` structure is allocated (line 807-812)\n2. String attributes (`platform`, `vendor`, `name`, `version`) are allocated via `ConstantString()` (lines 878, 885, 898, 900)\n3. These strings are **only freed** when a `/\u003e` closing tag is encountered (lines 840-849)\n4. At function exit (lines 908-910), only the `device_benchmark` structure is freed, but **its member variables are not freed** if `/\u003e` was never parsed\n\n**Vulnerable Code (lines 908-910):**\n\n```c\ntoken=(char *) RelinquishMagickMemory(token);\ndevice_benchmark=(MagickCLDeviceBenchmark *) RelinquishMagickMemory(\n device_benchmark); // BUG: members (platform_name, vendor_name, name, version) not freed!\n```\n\n**Correct cleanup (only executed when `/\u003e` is found, lines 840-849):**\n\n```c\ndevice_benchmark-\u003eplatform_name=(char *) RelinquishMagickMemory(device_benchmark-\u003eplatform_name);\ndevice_benchmark-\u003evendor_name=(char *) RelinquishMagickMemory(device_benchmark-\u003evendor_name);\ndevice_benchmark-\u003ename=(char *) RelinquishMagickMemory(device_benchmark-\u003ename);\ndevice_benchmark-\u003eversion=(char *) RelinquishMagickMemory(device_benchmark-\u003eversion);\ndevice_benchmark=(MagickCLDeviceBenchmark *) RelinquishMagickMemory(device_benchmark);\n```\n\n---\n\n### PoC\n\n**Environment:**\n- OS: Ubuntu 22.04.5 LTS (Linux 6.8.0-87-generic x86_64)\n- Compiler: GCC 11.4.0\n- ImageMagick: 7.1.2-13 (commit `a52c1b402be08ef8ae193f28ac5b2e120f2fa26f`)\n\n**Step 1: Build ImageMagick with AddressSanitizer**\n\n```bash\ncd ImageMagick\n./configure \\\n CFLAGS=\"-g -O0 -fsanitize=address -fno-omit-frame-pointer\" \\\n CXXFLAGS=\"-g -O0 -fsanitize=address -fno-omit-frame-pointer\" \\\n LDFLAGS=\"-fsanitize=address\" \\\n --disable-openmp\nmake -j$(nproc)\n```\n\n**Step 2: Create malformed XML file**\n\n**Step 3: Place file in OpenCL cache directory**\n\n```bash\nmkdir -p ~/.cache/ImageMagick\ncp malformed_opencl_profile.xml ~/.cache/ImageMagick/ImagemagickOpenCLDeviceProfile.xml\n```\n\n**Step 4: Run ImageMagick with leak detection**\n\n```bash\nexport ASAN_OPTIONS=\"detect_leaks=1:symbolize=1\"\n./utilities/magick -size 100x100 xc:red output.png\n```\n\n**ASAN Output:**\n\n```\n=================================================================\n==2543490==ERROR: LeakSanitizer: detected memory leaks\n\nDirect leak of 96 byte(s) in 2 object(s) allocated from:\n #0 ... in AcquireMagickMemory MagickCore/memory.c:536\n #1 ... in LoadOpenCLDeviceBenchmark MagickCore/opencl.c:807\n\nDirect leak of 16 byte(s) in 1 object(s) allocated from:\n #0 ... in ConstantString MagickCore/string.c:692\n #1 ... in LoadOpenCLDeviceBenchmark MagickCore/opencl.c:878 \u2190 name\n\nDirect leak of 14 byte(s) in 1 object(s) allocated from:\n #0 ... in ConstantString MagickCore/string.c:692\n #1 ... in LoadOpenCLDeviceBenchmark MagickCore/opencl.c:885 \u2190 platform_name\n\nDirect leak of 14 byte(s) in 1 object(s) allocated from:\n #0 ... in ConstantString MagickCore/string.c:692\n #1 ... in LoadOpenCLDeviceBenchmark MagickCore/opencl.c:898 \u2190 vendor_name\n\nDirect leak of 15 byte(s) in 1 object(s) allocated from:\n #0 ... in ConstantString MagickCore/string.c:692\n #1 ... in LoadOpenCLDeviceBenchmark MagickCore/opencl.c:900 \u2190 version\n\nSUMMARY: AddressSanitizer: 203 byte(s) leaked in 18 allocation(s).\n```\n\n---\n\n### Impact\n\n**Vulnerability Type:** CWE-401 (Missing Release of Memory after Effective Lifetime)\n\n**Severity:** Low\n\n**Who is impacted:**\n- Users who have OpenCL enabled in ImageMagick\n- Systems where an attacker can place or modify files in the OpenCL cache directory (`~/.cache/ImageMagick/`)\n- Long-running ImageMagick processes or services that repeatedly initialize OpenCL\n\n**Potential consequences:**\n- Memory exhaustion over time if the malformed configuration is repeatedly loaded\n- Denial of Service (DoS) in resource-constrained environments\n\n**Attack Vector:** Local - requires write access to the user\u0027s OpenCL cache directory",
"id": "GHSA-qp59-x883-77qv",
"modified": "2026-01-21T01:06:34Z",
"published": "2026-01-21T01:06:34Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-qp59-x883-77qv"
},
{
"type": "PACKAGE",
"url": "https://github.com/ImageMagick/ImageMagick"
},
{
"type": "WEB",
"url": "https://github.com/dlemstra/Magick.NET/releases/tag/14.10.2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H",
"type": "CVSS_V3"
}
],
"summary": "ImageMagick has a Memory Leak in LoadOpenCLDeviceBenchmark() when parsing malformed XML"
}
Mitigation
Only call matching memory management functions. Do not mix and match routines. For example, when you allocate a buffer with malloc(), dispose of the original pointer with free().
Mitigation
When programming in C++, consider using smart pointers provided by the boost library to help correctly and consistently manage memory.
Mitigation MIT-4.6
Strategy: Libraries or Frameworks
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- For example, glibc in Linux provides protection against free of invalid pointers.
Mitigation
Use a language that provides abstractions for memory allocation and deallocation.
No CAPEC attack patterns related to this CWE.