Cyber Posture

CVE-2026-25897

Medium

Published: 24 February 2026

Published
24 February 2026
Modified
24 February 2026
KEV Added
Patch
CVSS Score 6.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:H
EPSS Score 0.0002 6.6th percentile
Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-25897 is a medium-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Imagemagick Imagemagick. Its CVSS base score is 6.5 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 6.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique.
Threat & Defense Details

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
attack.mitre.org →
Why these techniques?

Remote exploitation of the integer overflow in ImageMagick's Sun decoder (via crafted image) directly enables T1190 when the library is used by public-facing applications and T1499.004 for the resulting application DoS via heap corruption.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, an Integer Overflow vulnerability exists in the sun decoder. On 32-bit systems/builds, a carefully crafted image can lead to an out…

more

of bounds heap write. Versions 7.1.2-15 and 6.9.13-40 contain a patch.

Deeper analysisAI

CVE-2026-25897 is an integer overflow vulnerability in the Sun decoder of ImageMagick, a free and open-source software suite for editing and manipulating digital images. The flaw affects versions prior to 7.1.2-15 and 6.9.13-40, specifically on 32-bit systems or builds, where processing a carefully crafted image triggers the overflow, resulting in an out-of-bounds heap write. It is rated with a CVSS v3.1 base score of 6.5 (AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:H) and is associated with CWE-122 (Heap-based Buffer Overflow) and CWE-190 (Integer Overflow or Wraparound). The vulnerability was published on 2026-02-24.

A remote, unauthenticated attacker can exploit this vulnerability by supplying a maliciously crafted image file to an ImageMagick instance using the Sun decoder on vulnerable 32-bit systems. Exploitation requires high attack complexity but no user interaction or privileges. Successful exploitation leads to a denial of service through high-impact availability disruption via heap corruption, with low confidentiality impact possible.

The ImageMagick GitHub security advisory (GHSA-6j5f-24fw-pqp4) confirms that versions 7.1.2-15 and 6.9.13-40 include patches to address the integer overflow. Security practitioners should upgrade affected ImageMagick installations, particularly those running 32-bit builds that process untrusted images, and consider disabling the Sun decoder if not required.

Details

CWE(s)
CWE-122CWE-190

Affected Products

imagemagick
imagemagick
≤ 6.9.13-40 · 7.0.0-0 — 7.1.2-15

CVEs Like This One

CVE-2026-33900Same product: Imagemagick Imagemagick
CVE-2026-25970Same product: Imagemagick Imagemagick
CVE-2026-23876Same product: Imagemagick Imagemagick
CVE-2026-33901Same product: Imagemagick Imagemagick
CVE-2026-25794Same product: Imagemagick Imagemagick
CVE-2026-28693Same product: Imagemagick Imagemagick
CVE-2026-25967Same product: Imagemagick Imagemagick
CVE-2026-25968Same product: Imagemagick Imagemagick
CVE-2026-25983Same product: Imagemagick Imagemagick
CVE-2026-25988Same product: Imagemagick Imagemagick

References