Cyber Resilience

CVE-2026-25798

Medium

Published: 24 February 2026

Published
24 February 2026
Modified
24 February 2026
KEV Added
Patch
CVSS Score v3.1 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
EPSS Score 0.0006 20.5th percentile
Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-25798 is a medium-severity NULL Pointer Dereference (CWE-476) vulnerability in Imagemagick Imagemagick. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 20.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-6 (Configuration Settings).

Deeper analysis

CVE-2026-25798 is a NULL pointer dereference vulnerability (CWE-476) in the ClonePixelCacheRepository function of ImageMagick, a free and open-source software suite for editing and manipulating digital images. The flaw affects ImageMagick versions prior to 7.1.2-15 and 6.9.13-40, enabling a remote attacker to crash any application linked against the library by supplying a specially crafted image file, resulting in denial of service.

A remote, unauthenticated attacker can exploit this vulnerability over the network with low attack complexity and no user interaction required, as reflected in its CVSS v3.1 base score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). Exploitation causes affected applications to crash due to the null pointer dereference, disrupting availability without impacting confidentiality or integrity.

The official ImageMagick security advisory (https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-p863-5fgm-rgq4) confirms that versions 7.1.2-15 and 6.9.13-40 include patches to address the issue. Security practitioners should prioritize updating all linked applications to these fixed versions to mitigate the risk.

EU & UK References

Vulnerability details

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, a NULL pointer dereference in ClonePixelCacheRepository allows a remote attacker to crash any application linked against ImageMagick by supplying a crafted…

more

image file, resulting in denial of service. Versions 7.1.2-15 and 6.9.13-40 contain a patch.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

NULL pointer dereference enables remote DoS via crafted image file against apps using the library (T1190 for public-facing exploitation and T1499.004 for application exploitation causing crash).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-25795Same product: Imagemagick Imagemagick
CVE-2026-25897Same product: Imagemagick Imagemagick
CVE-2026-28693Same product: Imagemagick Imagemagick
CVE-2026-33901Same product: Imagemagick Imagemagick
CVE-2026-32636Same product: Imagemagick Imagemagick
CVE-2026-25986Same product: Imagemagick Imagemagick
CVE-2026-25968Same product: Imagemagick Imagemagick
CVE-2026-25967Same product: Imagemagick Imagemagick
CVE-2026-25970Same product: Imagemagick Imagemagick
CVE-2026-25898Same product: Imagemagick Imagemagick

Affected Assets

imagemagick
imagemagick
≤ 6.9.13-40 · 7.0.0-0 — 7.1.2-15

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires applying the vendor patch that eliminates the NULL dereference in ClonePixelCacheRepository.

prevent

Enforces configuration settings that restrict ImageMagick to the patched versions 7.1.2-15 / 6.9.13-40 or later.

prevent

Maintains an accurate inventory of ImageMagick instances so vulnerable components can be located and updated.

References