CVE-2026-25794
Published: 24 February 2026
Summary
CVE-2026-25794 is a high-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Imagemagick Imagemagick. Its CVSS base score is 8.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 5.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-2 requires timely remediation of identified flaws, directly addressing this CVE by applying the ImageMagick patch in version 7.1.2-15 that uses 64-bit arithmetic to prevent integer overflow.
SI-10 enforces validation of information inputs like crafted UHD images with large dimensions, preventing the integer overflow trigger in untrusted processing scenarios.
SI-16 implements memory protections that mitigate exploitation of the heap-based buffer overflow from undersized allocations and out-of-bounds writes.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability directly enables remote exploitation of public-facing image processing services (T1190) via a maliciously crafted image file (T1204.002) that triggers integer overflow and heap corruption when processed by ImageMagick.
NVD Description
ImageMagick is free and open-source software used for editing and manipulating digital images. `WriteUHDRImage` in `coders/uhdr.c` uses `int` arithmetic to compute the pixel buffer size. Prior to version 7.1.2-15, when image dimensions are large, the multiplication overflows 32-bit `int`, causing…
more
an undersized heap allocation followed by an out-of-bounds write. This can crash the process or potentially lead to an out of bounds heap write. Version 7.1.2-15 contains a patch.
Deeper analysisAI
CVE-2026-25794 is an integer overflow vulnerability in ImageMagick, a free and open-source software suite for editing and manipulating digital images. The issue resides in the `WriteUHDRImage` function within `coders/uhdr.c`, where `int` arithmetic is used to compute the pixel buffer size. In versions prior to 7.1.2-15, large image dimensions can cause a 32-bit `int` multiplication to overflow, resulting in an undersized heap allocation followed by an out-of-bounds write. This flaw is classified under CWE-122 (Heap-based Buffer Overflow) and CWE-190 (Integer Overflow or Wraparound), with a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H).
Remote, unauthenticated attackers can exploit this vulnerability by supplying a specially crafted UHD image to an ImageMagick instance processing untrusted input, such as in web applications or image conversion services. Successful exploitation leads to process crashes for denial-of-service or, in some cases, out-of-bounds heap writes that could enable further memory corruption.
The official GitHub security advisory (GHSA-vhqj-f5cj-9x8h) confirms that ImageMagick version 7.1.2-15 includes a patch to address the integer overflow by using appropriate 64-bit arithmetic for buffer size calculations. Security practitioners should upgrade to this version or later and validate image inputs where possible.
Details
- CWE(s)