Cyber Resilience

CVE-2026-25897

Medium

Published: 24 February 2026

Published
24 February 2026
Modified
24 February 2026
KEV Added
Patch
CVSS Score v3.1 6.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:H
EPSS Score 0.0030 21.7th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-25897 is a medium-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Imagemagick Imagemagick. Its CVSS base score is 6.5 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 21.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-25897 is an integer overflow vulnerability in the Sun decoder of ImageMagick, a free and open-source software suite for editing and manipulating digital images. The flaw affects versions prior to 7.1.2-15 and 6.9.13-40, specifically on 32-bit systems or builds, where processing a carefully crafted image triggers the overflow, resulting in an out-of-bounds heap write. It is rated with a CVSS v3.1 base score of 6.5 (AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:H) and is associated with CWE-122 (Heap-based Buffer Overflow) and CWE-190 (Integer Overflow or Wraparound). The vulnerability was published on 2026-02-24.

A remote, unauthenticated attacker can exploit this vulnerability by supplying a maliciously crafted image file to an ImageMagick instance using the Sun decoder on vulnerable 32-bit systems. Exploitation requires high attack complexity but no user interaction or privileges. Successful exploitation leads to a denial of service through high-impact availability disruption via heap corruption, with low confidentiality impact possible.

The ImageMagick GitHub security advisory (GHSA-6j5f-24fw-pqp4) confirms that versions 7.1.2-15 and 6.9.13-40 include patches to address the integer overflow. Security practitioners should upgrade affected ImageMagick installations, particularly those running 32-bit builds that process untrusted images, and consider disabling the Sun decoder if not required.

EU & UK References

Vulnerability details

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, an Integer Overflow vulnerability exists in the sun decoder. On 32-bit systems/builds, a carefully crafted image can lead to an out…

more

of bounds heap write. Versions 7.1.2-15 and 6.9.13-40 contain a patch.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Remote exploitation of the integer overflow in ImageMagick's Sun decoder (via crafted image) directly enables T1190 when the library is used by public-facing applications and T1499.004 for the resulting application DoS via heap corruption.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-25970Same product: Imagemagick Imagemagick
CVE-2026-33900Same product: Imagemagick Imagemagick
CVE-2026-23876Same product: Imagemagick Imagemagick
CVE-2026-33901Same product: Imagemagick Imagemagick
CVE-2026-25794Same product: Imagemagick Imagemagick
CVE-2026-28693Same product: Imagemagick Imagemagick
CVE-2026-25967Same product: Imagemagick Imagemagick
CVE-2026-25985Same product: Imagemagick Imagemagick
CVE-2026-25988Same product: Imagemagick Imagemagick
CVE-2026-25798Same product: Imagemagick Imagemagick

Affected Assets

imagemagick
imagemagick
≤ 6.9.13-40 · 7.0.0-0 — 7.1.2-15

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely installation of the vendor patch that eliminates the integer overflow in the Sun decoder.

prevent

Requires disabling the Sun decoder (or restricting ImageMagick to least functionality) when the feature is not needed, eliminating the attack surface on 32-bit builds.

detect

Mandates scanning to discover unpatched ImageMagick instances that remain vulnerable to crafted Sun-format images.

References