CVE-2026-25970
Published: 24 February 2026
Summary
CVE-2026-25970 is a medium-severity Integer Overflow or Wraparound (CWE-190) vulnerability in Imagemagick Imagemagick. Its CVSS base score is 5.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 18.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-25970 is a signed integer overflow vulnerability (CWE-190) in the SIXEL decoder of ImageMagick, a free and open-source software suite for editing and manipulating digital images. The flaw affects versions prior to 7.1.2-15 and 6.9.13-40. It occurs during buffer reallocation operations where pointer arithmetic using signed 32-bit integers overflows when processing a maliciously crafted SIXEL image file, potentially leading to memory corruption.
An unauthenticated attacker (PR:N) can exploit this vulnerability remotely over the network (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N), as reflected in its CVSS v3.1 base score of 5.3 (S:U/C:N/I:N/A:L). Exploitation triggers memory corruption in the ImageMagick process, resulting in a denial-of-service condition with low availability impact.
ImageMagick has patched the vulnerability in versions 7.1.2-15 and 6.9.13-40. Security practitioners should upgrade affected systems to these versions for mitigation. Additional details are provided in the GitHub security advisory at https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-xg29-8ghv-v4xr.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-7429
Vulnerability details
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, a signed integer overflow vulnerability in ImageMagick's SIXEL decoder allows an attacker to trigger memory corruption and denial of service when…
more
processing a maliciously crafted SIXEL image file. The vulnerability occurs during buffer reallocation operations where pointer arithmetic using signed 32-bit integers overflows. Versions 7.1.2-15 and 6.9.13-40 contain a patch.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Signed integer overflow in SIXEL decoder enables remote exploitation of ImageMagick in public-facing apps (e.g., image upload/processing services) to trigger memory corruption and DoS.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely application of the vendor patch that eliminates the signed integer overflow in the SIXEL decoder.
Requires validation of image input data to reject or safely handle malformed SIXEL files before buffer-reallocation arithmetic occurs.
Applies memory-protection mechanisms that can contain or block exploitation of the resulting memory corruption.