Cyber Resilience

CVE-2026-25898

Medium

Published: 24 February 2026

Published
24 February 2026
Modified
25 February 2026
KEV Added
Patch
CVSS Score v3.1 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L
EPSS Score 0.0035 26.5th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-25898 is a medium-severity Out-of-bounds Read (CWE-125) vulnerability in Imagemagick Imagemagick. Its CVSS base score is 6.5 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 26.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-25898 is a vulnerability in ImageMagick, a free and open-source software suite for editing and manipulating digital images. It affects versions prior to 7.1.2-15 and 6.9.13-40, specifically in the UIL and XPM image encoders. These encoders fail to validate the pixel index value returned by the `GetPixelIndex()` function before using it as an array subscript. In HDRI builds of ImageMagick, the `Quantum` type is a floating-point value, which allows pixel index values to be negative. Processing a specially crafted image can trigger a global buffer overflow read (CWE-125), potentially leading to information disclosure or a process crash. The vulnerability has a CVSS v3.1 base score of 6.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L).

An attacker can exploit this vulnerability remotely over the network with low complexity and no privileges or user interaction required, as long as a vulnerable ImageMagick instance processes a malicious UIL or XPM image file. Successful exploitation results in limited information disclosure from memory or low-impact denial of service via process crash, but does not allow integrity modification.

The ImageMagick GitHub security advisory (GHSA-vpxv-r9pg-7gpr) confirms that versions 7.1.2-15 and 6.9.13-40 include a patch to address the issue by adding validation for the pixel index value. Security practitioners should update to these fixed versions and avoid processing untrusted images with vulnerable builds, particularly in HDRI configurations.

EU & UK References

Vulnerability details

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, the UIL and XPM image encoder do not validate the pixel index value returned by `GetPixelIndex()` before using it as an…

more

array subscript. In HDRI builds, `Quantum` is a floating-point type, so pixel index values can be negative. An attacker can craft an image with negative pixel index values to trigger a global buffer overflow read during conversion, leading to information disclosure or a process crash. Versions 7.1.2-15 and 6.9.13-40 contain a patch.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Remote unauthenticated processing of malicious UIL/XPM images by ImageMagick directly enables T1190 (Exploit Public-Facing Application) for initial access; the resulting process crash enables T1499.004 (Application or System Exploitation) for DoS impact. No RCE or other techniques are supported by the read-only overflow.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-25987Same product: Imagemagick Imagemagick
CVE-2026-28693Same product: Imagemagick Imagemagick
CVE-2026-33905Same product: Imagemagick Imagemagick
CVE-2026-24481Same product: Imagemagick Imagemagick
CVE-2026-25967Same product: Imagemagick Imagemagick
CVE-2026-25985Same product: Imagemagick Imagemagick
CVE-2026-25988Same product: Imagemagick Imagemagick
CVE-2026-25798Same product: Imagemagick Imagemagick
CVE-2026-25983Same product: Imagemagick Imagemagick
CVE-2026-32636Same product: Imagemagick Imagemagick

Affected Assets

imagemagick
imagemagick
≤ 6.9.13-40 · 7.0.0-0 — 7.1.2-15

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely application of the vendor patch (7.1.2-15 / 6.9.13-40) that adds the missing GetPixelIndex validation.

prevent

Mandates input validation on untrusted pixel-index data supplied by crafted UIL/XPM files before it is used as an array subscript.

prevent

Requires memory-protection mechanisms that can limit the impact of the out-of-bounds read on process memory or stability.

References