CVE-2026-25985
Published: 24 February 2026
Summary
CVE-2026-25985 is a high-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Imagemagick Imagemagick. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 5.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).
Deeper analysis
CVE-2026-25985 is a memory allocation vulnerability in ImageMagick, a free and open-source software suite for editing and manipulating digital images. In versions prior to 7.1.2-15 and 6.9.13-40, processing a crafted SVG file containing a malicious element triggers ImageMagick to attempt allocating approximately 674 GB of memory, resulting in an out-of-memory abort. The issue is classified under CWE-770 (Allocation of Resources Without Limits or Throttling) and CWE-789 (Memory Allocation with Excessive Size Value), with a CVSS v3.1 base score of 7.5.
Attackers can exploit this vulnerability remotely over the network with low complexity, requiring no privileges or user interaction. Any unauthenticated remote attacker who can induce a target system to process the malicious SVG file—such as through web uploads, email attachments, or image processing services—can cause a denial-of-service condition by exhausting available memory and triggering process termination, impacting availability without affecting confidentiality or integrity.
The official ImageMagick GitHub security advisory (GHSA-v7g2-m8c5-mf84) confirms that versions 7.1.2-15 and 6.9.13-40 include patches to address the issue, recommending immediate upgrades for affected installations.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-7423
Vulnerability details
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, a crafted SVG file containing an malicious element causes ImageMagick to attempt to allocate ~674 GB of memory, leading to an…
more
out-of-memory abort. Versions 7.1.2-15 and 6.9.13-40 contain a patch.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Crafted SVG triggers remote memory exhaustion DoS in ImageMagick; directly enables exploitation of public-facing image-processing apps (T1190) and application/system exploitation for endpoint DoS (T1499.004).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Timely flaw remediation through patching ImageMagick to versions 7.1.2-15 or 6.9.13-40 directly eliminates the memory allocation vulnerability triggered by crafted SVG files.
Resource availability controls limit memory allocation to ImageMagick processes, preventing excessive resource consumption from malicious SVG elements.
Denial-of-service protection implements measures to counter memory exhaustion attacks like the out-of-memory abort induced by this CVE.