PT-2026-5505 — Nuget Magick.Net-Q16-Anycpu+18

PT-2026-5505 · Nuget · Magick.Net-Q16-Anycpu+18

Published

2026-01-21

Updated

2026-01-21

CVSS v3.1

6.5

Medium

Vector

AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H

Summary

A memory leak vulnerability exists in the LoadOpenCLDeviceBenchmark() function in MagickCore/opencl.c. When parsing a malformed OpenCL device profile XML file that contains <device elements without proper /> closing tags, the function fails to release allocated memory for string members (platform name, vendor name, name, version), leading to memory leaks that could result in resource exhaustion.

Affected Version: ImageMagick 7.1.2-12 and possibly earlier versions

Details

The vulnerability is located in MagickCore/opencl.c, function LoadOpenCLDeviceBenchmark() (lines 754-911).

Root Cause Analysis:

When a <device tag is encountered, a MagickCLDeviceBenchmark structure is allocated (line 807-812)
String attributes (platform, vendor, name, version) are allocated via ConstantString() (lines 878, 885, 898, 900)
These strings are only freed when a /> closing tag is encountered (lines 840-849)
At function exit (lines 908-910), only the device benchmark structure is freed, but its member variables are not freed if /> was never parsed

Vulnerable Code (lines 908-910):

token=(char *) RelinquishMagickMemory(token);
device benchmark=(MagickCLDeviceBenchmark *) RelinquishMagickMemory(
 device benchmark); // BUG: members (platform name, vendor name, name, version) not freed!

Correct cleanup (only executed when /> is found, lines 840-849):

device benchmark->platform name=(char *) RelinquishMagickMemory(device benchmark->platform name);
device benchmark->vendor name=(char *) RelinquishMagickMemory(device benchmark->vendor name);
device benchmark->name=(char *) RelinquishMagickMemory(device benchmark->name);
device benchmark->version=(char *) RelinquishMagickMemory(device benchmark->version);
device benchmark=(MagickCLDeviceBenchmark *) RelinquishMagickMemory(device benchmark);

PoC

Environment:

OS: Ubuntu 22.04.5 LTS (Linux 6.8.0-87-generic x86 64)
Compiler: GCC 11.4.0
ImageMagick: 7.1.2-13 (commit a52c1b402be08ef8ae193f28ac5b2e120f2fa26f)

Step 1: Build ImageMagick with AddressSanitizer

bash

cd ImageMagick
./configure 
  CFLAGS="-g -O0 -fsanitize=address -fno-omit-frame-pointer" 
  CXXFLAGS="-g -O0 -fsanitize=address -fno-omit-frame-pointer" 
  LDFLAGS="-fsanitize=address" 
  --disable-openmp
make -j$(nproc)

Step 2: Create malformed XML file

Step 3: Place file in OpenCL cache directory

bash

mkdir -p ~/.cache/ImageMagick
cp malformed opencl profile.xml ~/.cache/ImageMagick/ImagemagickOpenCLDeviceProfile.xml

Step 4: Run ImageMagick with leak detection

bash

export ASAN OPTIONS="detect leaks=1:symbolize=1"
./utilities/magick -size 100x100 xc:red output.png

ASAN Output:

=================================================================
==2543490==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 96 byte(s) in 2 object(s) allocated from:
  #0 ... in AcquireMagickMemory MagickCore/memory.c:536
  #1 ... in LoadOpenCLDeviceBenchmark MagickCore/opencl.c:807

Direct leak of 16 byte(s) in 1 object(s) allocated from:
  #0 ... in ConstantString MagickCore/string.c:692
  #1 ... in LoadOpenCLDeviceBenchmark MagickCore/opencl.c:878 ← name

Direct leak of 14 byte(s) in 1 object(s) allocated from:
  #0 ... in ConstantString MagickCore/string.c:692
  #1 ... in LoadOpenCLDeviceBenchmark MagickCore/opencl.c:885 ← platform name

Direct leak of 14 byte(s) in 1 object(s) allocated from:
  #0 ... in ConstantString MagickCore/string.c:692
  #1 ... in LoadOpenCLDeviceBenchmark MagickCore/opencl.c:898 ← vendor name

Direct leak of 15 byte(s) in 1 object(s) allocated from:
  #0 ... in ConstantString MagickCore/string.c:692
  #1 ... in LoadOpenCLDeviceBenchmark MagickCore/opencl.c:900 ← version

SUMMARY: AddressSanitizer: 203 byte(s) leaked in 18 allocation(s).

Impact

Vulnerability Type: CWE-401 (Missing Release of Memory after Effective Lifetime)

Severity: Low

Who is impacted:

Users who have OpenCL enabled in ImageMagick
Systems where an attacker can place or modify files in the OpenCL cache directory (~/.cache/ImageMagick/)
Long-running ImageMagick processes or services that repeatedly initialize OpenCL

Potential consequences:

Memory exhaustion over time if the malformed configuration is repeatedly loaded
Denial of Service (DoS) in resource-constrained environments

Attack Vector: Local - requires write access to the user's OpenCL cache directory

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-763

Related Identifiers

GHSA-QP59-X883-77QV

Affected Products

Magick.Net-Q16-Anycpu

Magick.Net-Q16-Hdri-Anycpu

Magick.Net-Q16-Hdri-Openmp-Arm64

Magick.Net-Q16-Hdri-Openmp-X64

Magick.Net-Q16-Hdri-Arm64

Magick.Net-Q16-Hdri-X64

Magick.Net-Q16-Hdri-X86

Magick.Net-Q16-Openmp-Arm64

Magick.Net-Q16-Openmp-X64

Magick.Net-Q16-Openmp-X86

Magick.Net-Q16-Arm64

Magick.Net-Q16-X64

Magick.Net-Q16-X86

Magick.Net-Q8-Anycpu

Magick.Net-Q8-Openmp-Arm64

Magick.Net-Q8-Openmp-X64

Magick.Net-Q8-Arm64

Magick.Net-Q8-X64

Magick.Net-Q8-X86