Release of Invalid Pointer or Reference

CVE-2026-22770

High

9.8/10

Summary

ImageMagick is free and open-source software used for editing and manipulating digital images. The "BilateralBlurImage" method will allocate a set of double buffers inside "AcquireBilateralTLS". But, in ImageMagick versions prior to 7.1.2-13 and Magick.NET versions prior to 14.10.2, the last element in the set is not properly initialized. This will result in a release of an invalid pointer inside "DestroyBilateralTLS" when the memory allocation fails. ImageMagick version 7.1.2-13 and Magick.NET version 14.10.2 contains a patch for the issue.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: HIGH
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: NONE
Confidentiality Impact: HIGH
Availability Impact: HIGH

CWE-763 - Release of Invalid Pointer or Reference

The application attempts to return a memory resource to the system, but calls the wrong release function or calls the appropriate release function incorrectly.

References

Advisory Timeline

Published Jan 20, 2026

Release of Invalid Pointer or Reference

CVE-2026-22770

Summary

CWE-763 - Release of Invalid Pointer or Reference

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS