Cyber Resilience

CVE-2026-25966

MediumLPE

Published: 24 February 2026

Published
24 February 2026
Modified
25 February 2026
KEV Added
Patch
CVSS Score v3.1 5.9 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
EPSS Score 0.0001 0.5th percentile
Risk Priority 12 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-25966 is a medium-severity Improper Access Control (CWE-284) vulnerability in Imagemagick Imagemagick. Its CVSS base score is 5.9 (Medium).

Operationally, ranked at the 0.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and CM-6 (Configuration Settings).

Deeper analysis

CVE-2026-25966 is a vulnerability in ImageMagick, a free and open-source software suite for editing and manipulating digital images. The issue stems from the "secure" security policy, which is intended to prevent reading or writing from standard streams like stdin and stdout. However, ImageMagick supports fd:<n> pseudo-filenames (such as fd:0 for stdin or fd:1 for stdout), and prior to versions 7.1.2-15 and 6.9.13-40, these are not blocked by the secure policy templates, allowing attackers to bypass the protection against standard stream access. This flaw is classified under CWE-284 (Improper Access Control) with a CVSS v3.1 base score of 5.9 (AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).

A local attacker with no privileges required can exploit this vulnerability due to its low attack complexity and lack of need for user interaction. By using fd:<n> pseudo-filenames in ImageMagick operations, the attacker can read from or write to standard streams despite the secure policy, potentially leading to limited impacts on confidentiality, integrity, and availability, such as unauthorized data access or modification through manipulated image processing workflows.

The official GitHub security advisory (GHSA-xwc6-v6g8-pw2h) details the patch included in ImageMagick versions 7.1.2-15 and 6.9.13-40, which updates the secure policy templates to block fd:<n> paths by default. As a workaround prior to upgrading, users can manually apply the policy change to their security configuration. Security practitioners should verify and update affected ImageMagick installations promptly.

EU & UK References

Vulnerability details

ImageMagick is free and open-source software used for editing and manipulating digital images. The shipped "secure" security policy includes a rule intended to prevent reading/writing from standard streams. However, ImageMagick also supports fd:<n> pseudo-filenames (e.g., fd:0, fd:1). Prior to versions…

more

7.1.2-15 and 6.9.13-40, this path form is not blocked by the secure policy templates, and therefore bypasses the protection goal of "no stdin/stdout." Versions 7.1.2-15 and 6.9.13-40 contain a patch by including a change to the more secure policies by default. As a workaround, add the change to one's security policy manually.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

Insufficient information to map techniques.
Confidence: LOW · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-25897Same product: Imagemagick Imagemagick
CVE-2026-25965Same product: Imagemagick Imagemagick
CVE-2026-33905Same product: Imagemagick Imagemagick
CVE-2026-26283Same product: Imagemagick Imagemagick
CVE-2026-24481Same product: Imagemagick Imagemagick
CVE-2026-30929Same product: Imagemagick Imagemagick
CVE-2026-22770Same product: Imagemagick Imagemagick
CVE-2026-25970Same product: Imagemagick Imagemagick
CVE-2026-25898Same product: Imagemagick Imagemagick
CVE-2026-26284Same product: Imagemagick Imagemagick

Affected Assets

imagemagick
imagemagick
≤ 6.9.13-40 · 7.0.0-0 — 7.1.2-15

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces the intended access restrictions in ImageMagick's secure policy to block fd:<n> pseudo-filenames from reading/writing standard streams.

prevent

Requires correct configuration of the secure policy templates (including the fd: block) so the protection goal cannot be bypassed.

prevent

Mandates timely application of the vendor patch (7.1.2-15 / 6.9.13-40) that updates the secure policy to close the fd:<n> bypass.

References