Cyber Resilience

CVE-2026-25983

Medium

Published: 24 February 2026

Published
24 February 2026
Modified
25 February 2026
KEV Added
Patch
CVSS Score v3.1 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
EPSS Score 0.0043 34.7th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-25983 is a medium-severity Use After Free (CWE-416) vulnerability in Imagemagick Imagemagick. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 34.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-7 (Least Functionality).

Deeper analysis

CVE-2026-25983 is a heap-use-after-free vulnerability (CWE-416) in ImageMagick, a free and open-source software suite for editing and manipulating digital images. The issue affects versions prior to 7.1.2-15 and 6.9.13-40. It arises when processing a crafted MSL (Magick Scripting Language) script, where the operation element handler replaces and frees the image object while the parser continues reading from it, resulting in a use-after-free condition in the ReadBlobString function during subsequent parsing.

An unauthenticated attacker can exploit this vulnerability remotely with low complexity and no user interaction required, as indicated by its CVSS v3.1 base score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). By supplying a malicious MSL script to an ImageMagick instance, the attacker triggers the heap-use-after-free, potentially causing a denial-of-service condition through application crashes or memory corruption that impacts availability.

The ImageMagick security advisory at https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-fwqw-2x5x-w566 details the patch in versions 7.1.2-15 and 6.9.13-40, recommending immediate upgrades to these or later versions for mitigation. Security practitioners should audit deployments processing untrusted MSL inputs and apply the patches promptly.

EU & UK References

Vulnerability details

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, a crafted MSL script triggers a heap-use-after-free. The operation element handler replaces and frees the image while the parser continues reading…

more

from it, leading to a UAF in ReadBlobString during further parsing. Versions 7.1.2-15 and 6.9.13-40 contain a patch.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Remote unauthenticated supply of malicious MSL input to ImageMagick instance enables exploitation of public-facing apps (T1190) resulting in crash/memory corruption DoS via application exploitation (T1499.004).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-25967Same product: Imagemagick Imagemagick
CVE-2026-28693Same product: Imagemagick Imagemagick
CVE-2026-25985Same product: Imagemagick Imagemagick
CVE-2026-25988Same product: Imagemagick Imagemagick
CVE-2026-25798Same product: Imagemagick Imagemagick
CVE-2026-32636Same product: Imagemagick Imagemagick
CVE-2026-25970Same product: Imagemagick Imagemagick
CVE-2026-25897Same product: Imagemagick Imagemagick
CVE-2026-25898Same product: Imagemagick Imagemagick
CVE-2026-25968Same product: Imagemagick Imagemagick

Affected Assets

imagemagick
imagemagick
≤ 6.9.13-40 · 7.0.0-0 — 7.1.2-15

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely application of the vendor patch that eliminates the UAF in the MSL parser (versions 7.1.2-15 / 6.9.13-40).

prevent

Requires validation of untrusted MSL input before it reaches the vulnerable operation-element handler and ReadBlobString path.

prevent

Enforces disabling or restricting the MSL coder/policy when processing untrusted scripts, removing the attack surface that triggers the UAF.

References