MEDIUM 6.5
GHSA-39h3-g67r-7g3c
ImageMagick releases an invalid pointer in BilateralBlur when memory allocation fails
Details
The BilateralBlurImage method will allocate a set of double buffers inside AcquireBilateralTLS. But the last element in the set is not properly initialized. This will result in a release of an invalid pointer inside DestroyBilateralTLS when the memory allocation fails.
Are you affected?
Enter the version of the package you're using.
Affected packages
NuGet / Magick.NET-Q8-x64
Introduced in:
0 Fixed in: 14.10.2 Fix
dotnet add package Magick.NET-Q8-x64 --version 14.10.2 NuGet / Magick.NET-Q8-arm64
Introduced in:
0 Fixed in: 14.10.2 Fix
dotnet add package Magick.NET-Q8-arm64 --version 14.10.2 NuGet / Magick.NET-Q8-x86
Introduced in:
0 Fixed in: 14.10.2 Fix
dotnet add package Magick.NET-Q8-x86 --version 14.10.2 NuGet / Magick.NET-Q8-OpenMP-x64
Introduced in:
0 Fixed in: 14.10.2 Fix
dotnet add package Magick.NET-Q8-OpenMP-x64 --version 14.10.2 NuGet / Magick.NET-Q8-OpenMP-arm64
Introduced in:
0 Fixed in: 14.10.2 Fix
dotnet add package Magick.NET-Q8-OpenMP-arm64 --version 14.10.2 NuGet / Magick.NET-Q16-x64
Introduced in:
0 Fixed in: 14.10.2 Fix
dotnet add package Magick.NET-Q16-x64 --version 14.10.2 NuGet / Magick.NET-Q16-arm64
Introduced in:
0 Fixed in: 14.10.2 Fix
dotnet add package Magick.NET-Q16-arm64 --version 14.10.2 NuGet / Magick.NET-Q16-x86
Introduced in:
0 Fixed in: 14.10.2 Fix
dotnet add package Magick.NET-Q16-x86 --version 14.10.2 NuGet / Magick.NET-Q16-OpenMP-x64
Introduced in:
0 Fixed in: 14.10.2 Fix
dotnet add package Magick.NET-Q16-OpenMP-x64 --version 14.10.2 NuGet / Magick.NET-Q16-OpenMP-arm64
Introduced in:
0 Fixed in: 14.10.2 Fix
dotnet add package Magick.NET-Q16-OpenMP-arm64 --version 14.10.2 NuGet / Magick.NET-Q16-OpenMP-x86
Introduced in:
0 Fixed in: 14.10.2 Fix
dotnet add package Magick.NET-Q16-OpenMP-x86 --version 14.10.2 NuGet / Magick.NET-Q16-HDRI-x64
Introduced in:
0 Fixed in: 14.10.2 Fix
dotnet add package Magick.NET-Q16-HDRI-x64 --version 14.10.2 NuGet / Magick.NET-Q16-HDRI-arm64
Introduced in:
0 Fixed in: 14.10.2 Fix
dotnet add package Magick.NET-Q16-HDRI-arm64 --version 14.10.2 NuGet / Magick.NET-Q16-HDRI-x86
Introduced in:
0 Fixed in: 14.10.2 Fix
dotnet add package Magick.NET-Q16-HDRI-x86 --version 14.10.2 NuGet / Magick.NET-Q16-HDRI-OpenMP-x64
Introduced in:
0 Fixed in: 14.10.2 Fix
dotnet add package Magick.NET-Q16-HDRI-OpenMP-x64 --version 14.10.2 NuGet / Magick.NET-Q16-HDRI-OpenMP-arm64
Introduced in:
0 Fixed in: 14.10.2 Fix
dotnet add package Magick.NET-Q16-HDRI-OpenMP-arm64 --version 14.10.2 NuGet / Magick.NET-Q8-AnyCPU
Introduced in:
0 Fixed in: 14.10.2 Fix
dotnet add package Magick.NET-Q8-AnyCPU --version 14.10.2 NuGet / Magick.NET-Q16-AnyCPU
Introduced in:
0 Fixed in: 14.10.2 Fix
dotnet add package Magick.NET-Q16-AnyCPU --version 14.10.2 NuGet / Magick.NET-Q16-HDRI-AnyCPU
Introduced in:
0 Fixed in: 14.10.2 Fix
dotnet add package Magick.NET-Q16-HDRI-AnyCPU --version 14.10.2 References
- https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-39h3-g67r-7g3c [WEB]
- https://nvd.nist.gov/vuln/detail/CVE-2026-22770 [ADVISORY]
- https://github.com/ImageMagick/ImageMagick/commit/3e0330721020e0c5bb52e4b77c347527dd71658e [WEB]
- https://github.com/ImageMagick/ImageMagick [PACKAGE]
- https://github.com/dlemstra/Magick.NET/releases/tag/14.10.2 [WEB]