CVE-2026-25985
Published: 24 February 2026
Summary
CVE-2026-25985 is a high-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Imagemagick Imagemagick. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 5.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
This control implements explicit throttling on session allocation, addressing the weakness of allocating resources without limits.
Plan testing exercises resource allocation limits and throttling during simulated failures, directly addressing weaknesses that allow unbounded resource use.
Contingency plan updates ensure recovery strategies address unbounded resource allocation, making it harder for attackers to exploit lack of throttling to cause prolonged outages.
Provides continuity when unbounded resource allocation at the primary site leads to exhaustion and downtime.
Alternate services allow operations to continue when primary allocation of resources lacks limits or throttling.
Explicit planning of security-related actions requires defining limits, windows, and resource allocations, making allocation without throttling far less likely.
Measures of performance include tracking allocation behavior and throttling effectiveness, reducing the window for resource exhaustion attacks.
Imposes an inactivity-based limit on network resource allocation, throttling the number of concurrently held connections.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Crafted SVG triggers remote memory exhaustion DoS in ImageMagick; directly enables exploitation of public-facing image-processing apps (T1190) and application/system exploitation for endpoint DoS (T1499.004).
NVD Description
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, a crafted SVG file containing an malicious element causes ImageMagick to attempt to allocate ~674 GB of memory, leading to an…
more
out-of-memory abort. Versions 7.1.2-15 and 6.9.13-40 contain a patch.
Deeper analysisAI
CVE-2026-25985 is a memory allocation vulnerability in ImageMagick, a free and open-source software suite for editing and manipulating digital images. In versions prior to 7.1.2-15 and 6.9.13-40, processing a crafted SVG file containing a malicious element triggers ImageMagick to attempt allocating approximately 674 GB of memory, resulting in an out-of-memory abort. The issue is classified under CWE-770 (Allocation of Resources Without Limits or Throttling) and CWE-789 (Memory Allocation with Excessive Size Value), with a CVSS v3.1 base score of 7.5.
Attackers can exploit this vulnerability remotely over the network with low complexity, requiring no privileges or user interaction. Any unauthenticated remote attacker who can induce a target system to process the malicious SVG file—such as through web uploads, email attachments, or image processing services—can cause a denial-of-service condition by exhausting available memory and triggering process termination, impacting availability without affecting confidentiality or integrity.
The official ImageMagick GitHub security advisory (GHSA-v7g2-m8c5-mf84) confirms that versions 7.1.2-15 and 6.9.13-40 include patches to address the issue, recommending immediate upgrades for affected installations.
Details
- CWE(s)