CVE-2026-25796
Published: 24 February 2026
Summary
CVE-2026-25796 is a medium-severity Missing Release of Memory after Effective Lifetime (CWE-401) vulnerability in Imagemagick Imagemagick. Its CVSS base score is 5.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 8.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-25796 is a memory leak vulnerability in ImageMagick, a free and open-source software suite for editing and manipulating digital images. The issue resides in the `ReadSTEGANOImage()` function within `coders/stegano.c`, where the `watermark` Image object is not freed along three early-return paths. This results in a definite memory leak of approximately 13.5KB or more per invocation, affecting all versions prior to 7.1.2-15 and 6.9.13-40.
The vulnerability carries a CVSS v3.1 base score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L), indicating it is exploitable over the network with low attack complexity, requiring no privileges or user interaction. Any unauthenticated attacker can trigger the leak by supplying a specially crafted image that invokes the STEGANO coder, leading to repeated memory consumption and potential denial of service through resource exhaustion on affected systems processing such images.
The ImageMagick GitHub security advisory (GHSA-g2pr-qxjg-7r2w) confirms the patch in versions 7.1.2-15 and 6.9.13-40, which addresses the failure to free the watermark object on the identified early-return paths. Security practitioners should update to these fixed releases to mitigate the issue, classified under CWE-401 (Memory Leak).
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-7446
Vulnerability details
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, in `ReadSTEGANOImage()` (`coders/stegano.c`), the `watermark` Image object is not freed on three early-return paths, resulting in a definite memory leak (~13.5KB+…
more
per invocation) that can be exploited for denial of service. Versions 7.1.2-15 and 6.9.13-40 contain a patch.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Memory leak in image processing function can be triggered remotely by crafted input to exhaust application resources, directly enabling T1499.004 (Application or System Exploitation) for denial of service.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely application of the vendor patch that frees the watermark object on all early-return paths in ReadSTEGANOImage().
Mandates protection against network-exploitable resource-exhaustion DoS attacks that repeatedly trigger the 13.5 KB leak.
Limits allocation and availability of memory resources so that repeated STEGANO invocations cannot exhaust system memory.