CVE-2026-25966
Published: 24 February 2026
Summary
CVE-2026-25966 is a medium-severity Improper Access Control (CWE-284) vulnerability in Imagemagick Imagemagick. Its CVSS base score is 5.9 (Medium).
Operationally, ranked at the 0.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and CM-6 (Configuration Settings).
Deeper analysis
CVE-2026-25966 is a vulnerability in ImageMagick, a free and open-source software suite for editing and manipulating digital images. The issue stems from the "secure" security policy, which is intended to prevent reading or writing from standard streams like stdin and stdout. However, ImageMagick supports fd:<n> pseudo-filenames (such as fd:0 for stdin or fd:1 for stdout), and prior to versions 7.1.2-15 and 6.9.13-40, these are not blocked by the secure policy templates, allowing attackers to bypass the protection against standard stream access. This flaw is classified under CWE-284 (Improper Access Control) with a CVSS v3.1 base score of 5.9 (AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).
A local attacker with no privileges required can exploit this vulnerability due to its low attack complexity and lack of need for user interaction. By using fd:<n> pseudo-filenames in ImageMagick operations, the attacker can read from or write to standard streams despite the secure policy, potentially leading to limited impacts on confidentiality, integrity, and availability, such as unauthorized data access or modification through manipulated image processing workflows.
The official GitHub security advisory (GHSA-xwc6-v6g8-pw2h) details the patch included in ImageMagick versions 7.1.2-15 and 6.9.13-40, which updates the secure policy templates to block fd:<n> paths by default. As a workaround prior to upgrading, users can manually apply the policy change to their security configuration. Security practitioners should verify and update affected ImageMagick installations promptly.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-7437
Vulnerability details
ImageMagick is free and open-source software used for editing and manipulating digital images. The shipped "secure" security policy includes a rule intended to prevent reading/writing from standard streams. However, ImageMagick also supports fd:<n> pseudo-filenames (e.g., fd:0, fd:1). Prior to versions…
more
7.1.2-15 and 6.9.13-40, this path form is not blocked by the secure policy templates, and therefore bypasses the protection goal of "no stdin/stdout." Versions 7.1.2-15 and 6.9.13-40 contain a patch by including a change to the more secure policies by default. As a workaround, add the change to one's security policy manually.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Insufficient information to map techniques.CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces the intended access restrictions in ImageMagick's secure policy to block fd:<n> pseudo-filenames from reading/writing standard streams.
Requires correct configuration of the secure policy templates (including the fd: block) so the protection goal cannot be bypassed.
Mandates timely application of the vendor patch (7.1.2-15 / 6.9.13-40) that updates the secure policy to close the fd:<n> bypass.