Cyber Resilience

CVE-2026-25969

Medium

Published: 24 February 2026

Published
24 February 2026
Modified
25 February 2026
KEV Added
Patch
CVSS Score v3.1 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
EPSS Score 0.0002 5.5th percentile
Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-25969 is a medium-severity Missing Release of Memory after Effective Lifetime (CWE-401) vulnerability in Imagemagick Imagemagick. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 5.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-6 (Configuration Settings).

Deeper analysis

CVE-2026-25969 is a memory leak vulnerability (CWE-401) in ImageMagick, a free and open-source software suite for editing and manipulating digital images. The issue resides in the `coders/ashlar.c` file, where the `WriteASHLARImage` function allocates a structure but fails to release the memory when an exception is thrown. This affects all versions of ImageMagick prior to 7.1.2-15.

The vulnerability has a CVSS v3.1 base score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L), indicating it is exploitable over the network with low attack complexity, no privileges or user interaction required. Unauthenticated remote attackers can trigger the memory leak by processing a specially crafted image in the ASHLAR format, potentially leading to gradual resource exhaustion and denial-of-service conditions on affected systems.

The official GitHub security advisory (GHSA-xgm3-v4r9-wfgm) confirms the issue and states that ImageMagick version 7.1.2-15 addresses it with a patch that ensures proper memory release upon exceptions. Security practitioners should update to this version or later to mitigate the risk.

EU & UK References

Vulnerability details

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to version 7.1.2-15, a memory leak exists in `coders/ashlar.c`. The `WriteASHLARImage` allocates a structure. However, when an exception is thrown, the allocated memory is not properly…

more

released, resulting in a potential memory leak. Version 7.1.2-15 contains a patch.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Remote memory leak in ImageMagick enables exploitation of public-facing apps (T1190) to trigger application exhaustion/DoS via crafted input (T1499.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-25988Same product: Imagemagick Imagemagick
CVE-2026-25796Same product: Imagemagick Imagemagick
CVE-2026-25985Same product: Imagemagick Imagemagick
CVE-2026-25897Same product: Imagemagick Imagemagick
CVE-2026-25983Same product: Imagemagick Imagemagick
CVE-2026-25970Same product: Imagemagick Imagemagick
CVE-2026-33900Same product: Imagemagick Imagemagick
CVE-2026-28693Same product: Imagemagick Imagemagick
CVE-2026-25967Same product: Imagemagick Imagemagick
CVE-2026-25898Same product: Imagemagick Imagemagick

Affected Assets

imagemagick
imagemagick
≤ 7.1.2-15

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely installation of the vendor patch (7.1.2-15) that eliminates the memory leak in WriteASHLARImage.

detect

Enables continuous monitoring of memory and resource consumption to identify gradual exhaustion caused by repeated triggering of the ASHLAR coder leak.

prevent

Allows enforcement of approved software versions and configuration settings that prohibit use of vulnerable ImageMagick releases.

References