Cyber Resilience

CVE-2026-24481

High

Published: 24 February 2026

Published
24 February 2026
Modified
24 February 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0002 4.6th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-24481 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Imagemagick Imagemagick. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 4.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-11 (Error Handling).

Deeper analysis

CVE-2026-24481 is a heap information disclosure vulnerability (CWE-125) in ImageMagick, a free and open-source software suite for editing and manipulating digital images. The issue resides in the PSD (Adobe Photoshop) format handler, affecting versions prior to 7.1.2-15 for the 7.x branch and 6.9.13-40 for the 6.x branch. It occurs when processing a maliciously crafted PSD file containing ZIP-compressed layer data that decompresses to less than the expected size, resulting in uninitialized heap memory being leaked into the output image. The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

Attackers can exploit this vulnerability remotely without privileges or user interaction by supplying a specially crafted PSD file to an ImageMagick instance, such as in a web application or image processing pipeline that handles untrusted uploads. Successful exploitation leaks sensitive uninitialized heap memory contents into the resulting output image, potentially exposing confidential data like cryptographic keys, passwords, or other process memory artifacts visible to an attacker upon inspecting the output.

The official ImageMagick GitHub security advisory (GHSA-96pc-27rx-pr36) confirms the patch in versions 7.1.2-15 and 6.9.13-40, recommending immediate upgrades for affected systems. Practitioners should verify deployments, scan for vulnerable versions, and implement input validation to reject or sanitize PSD files from untrusted sources until patching is complete.

EU & UK References

Vulnerability details

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, a heap information disclosure vulnerability exists in ImageMagick's PSD (Adobe Photoshop) format handler. When processing a maliciously crafted PSD file containing…

more

ZIP-compressed layer data that decompresses to less than the expected size, uninitialized heap memory is leaked into the output image. Versions 7.1.2-15 and 6.9.13-40 contain a patch.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1212 Exploitation for Credential Access Credential Access
Adversaries may exploit software vulnerabilities in an attempt to collect credentials.
Why these techniques?

Remote unauthenticated PSD file processing in ImageMagick (public-facing apps) directly enables T1190; resulting heap memory disclosure of credentials/keys enables T1212.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-25987Same product: Imagemagick Imagemagick
CVE-2026-25898Same product: Imagemagick Imagemagick
CVE-2026-33905Same product: Imagemagick Imagemagick
CVE-2026-26284Same product: Imagemagick Imagemagick
CVE-2026-28693Same product: Imagemagick Imagemagick
CVE-2025-53101Same product: Imagemagick Imagemagick
CVE-2026-23876Same product: Imagemagick Imagemagick
CVE-2025-55298Same product: Imagemagick Imagemagick
CVE-2026-25897Same product: Imagemagick Imagemagick
CVE-2026-25965Same product: Imagemagick Imagemagick

Affected Assets

imagemagick
imagemagick
≤ 6.9.13-40 · 7.0.0-0 — 7.1.2-15

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely patching of ImageMagick to fixed versions 7.1.2-15 or 6.9.13-40, directly eliminating the heap information disclosure vulnerability in the PSD handler.

prevent

Enforces validation of untrusted PSD inputs to reject maliciously crafted files with ZIP-compressed layer data that decompress to less than expected size.

prevent

Prevents leakage of uninitialized heap memory into output images by ensuring error handling does not disclose sensitive information during PSD processing failures.

References