Cyber Resilience

CVE-2026-25985

HighDDoS

Published: 24 February 2026

Published
24 February 2026
Modified
25 February 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0002 5.5th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-25985 is a high-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Imagemagick Imagemagick. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 5.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).

Deeper analysis

CVE-2026-25985 is a memory allocation vulnerability in ImageMagick, a free and open-source software suite for editing and manipulating digital images. In versions prior to 7.1.2-15 and 6.9.13-40, processing a crafted SVG file containing a malicious element triggers ImageMagick to attempt allocating approximately 674 GB of memory, resulting in an out-of-memory abort. The issue is classified under CWE-770 (Allocation of Resources Without Limits or Throttling) and CWE-789 (Memory Allocation with Excessive Size Value), with a CVSS v3.1 base score of 7.5.

Attackers can exploit this vulnerability remotely over the network with low complexity, requiring no privileges or user interaction. Any unauthenticated remote attacker who can induce a target system to process the malicious SVG file—such as through web uploads, email attachments, or image processing services—can cause a denial-of-service condition by exhausting available memory and triggering process termination, impacting availability without affecting confidentiality or integrity.

The official ImageMagick GitHub security advisory (GHSA-v7g2-m8c5-mf84) confirms that versions 7.1.2-15 and 6.9.13-40 include patches to address the issue, recommending immediate upgrades for affected installations.

EU & UK References

Vulnerability details

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, a crafted SVG file containing an malicious element causes ImageMagick to attempt to allocate ~674 GB of memory, leading to an…

more

out-of-memory abort. Versions 7.1.2-15 and 6.9.13-40 contain a patch.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Crafted SVG triggers remote memory exhaustion DoS in ImageMagick; directly enables exploitation of public-facing image-processing apps (T1190) and application/system exploitation for endpoint DoS (T1499.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-25897Same product: Imagemagick Imagemagick
CVE-2026-25970Same product: Imagemagick Imagemagick
CVE-2026-25898Same product: Imagemagick Imagemagick
CVE-2026-33900Same product: Imagemagick Imagemagick
CVE-2026-33901Same product: Imagemagick Imagemagick
CVE-2026-32636Same product: Imagemagick Imagemagick
CVE-2026-25968Same product: Imagemagick Imagemagick
CVE-2026-25967Same product: Imagemagick Imagemagick
CVE-2026-25988Same product: Imagemagick Imagemagick
CVE-2026-25969Same product: Imagemagick Imagemagick

Affected Assets

imagemagick
imagemagick
≤ 6.9.13-40 · 7.0.0-0 — 7.1.2-15

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Timely flaw remediation through patching ImageMagick to versions 7.1.2-15 or 6.9.13-40 directly eliminates the memory allocation vulnerability triggered by crafted SVG files.

prevent

Resource availability controls limit memory allocation to ImageMagick processes, preventing excessive resource consumption from malicious SVG elements.

prevent

Denial-of-service protection implements measures to counter memory exhaustion attacks like the out-of-memory abort induced by this CVE.

References