CVE-2026-25898
Published: 24 February 2026
Summary
CVE-2026-25898 is a medium-severity Out-of-bounds Read (CWE-125) vulnerability in Imagemagick Imagemagick. Its CVSS base score is 6.5 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 6.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Threat & Defense at a Glance
Threat & Defense Details
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated processing of malicious UIL/XPM images by ImageMagick directly enables T1190 (Exploit Public-Facing Application) for initial access; the resulting process crash enables T1499.004 (Application or System Exploitation) for DoS impact. No RCE or other techniques are supported by the read-only overflow.
NVD Description
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, the UIL and XPM image encoder do not validate the pixel index value returned by `GetPixelIndex()` before using it as an…
more
array subscript. In HDRI builds, `Quantum` is a floating-point type, so pixel index values can be negative. An attacker can craft an image with negative pixel index values to trigger a global buffer overflow read during conversion, leading to information disclosure or a process crash. Versions 7.1.2-15 and 6.9.13-40 contain a patch.
Deeper analysisAI
CVE-2026-25898 is a vulnerability in ImageMagick, a free and open-source software suite for editing and manipulating digital images. It affects versions prior to 7.1.2-15 and 6.9.13-40, specifically in the UIL and XPM image encoders. These encoders fail to validate the pixel index value returned by the `GetPixelIndex()` function before using it as an array subscript. In HDRI builds of ImageMagick, the `Quantum` type is a floating-point value, which allows pixel index values to be negative. Processing a specially crafted image can trigger a global buffer overflow read (CWE-125), potentially leading to information disclosure or a process crash. The vulnerability has a CVSS v3.1 base score of 6.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L).
An attacker can exploit this vulnerability remotely over the network with low complexity and no privileges or user interaction required, as long as a vulnerable ImageMagick instance processes a malicious UIL or XPM image file. Successful exploitation results in limited information disclosure from memory or low-impact denial of service via process crash, but does not allow integrity modification.
The ImageMagick GitHub security advisory (GHSA-vpxv-r9pg-7gpr) confirms that versions 7.1.2-15 and 6.9.13-40 include a patch to address the issue by adding validation for the pixel index value. Security practitioners should update to these fixed versions and avoid processing untrusted images with vulnerable builds, particularly in HDRI configurations.
Details
- CWE(s)