Cyber Resilience

CVE-2026-25986

Medium

Published: 24 February 2026

Published
24 February 2026
Modified
25 February 2026
KEV Added
Patch
CVSS Score v3.1 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
EPSS Score 0.0046 36.5th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-25986 is a medium-severity Out-of-bounds Write (CWE-787) vulnerability in Imagemagick Imagemagick. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 36.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-25986 is a heap buffer overflow write vulnerability (CWE-787) in ImageMagick, a free and open-source software suite for editing and manipulating digital images. It affects all versions prior to 7.1.2-15 and 6.9.13-40, specifically in the ReadYUVImage() function within coders/yuv.c. The flaw occurs when processing malicious YUV 4:2:2 (NoInterlace) images, where a pixel-pair loop writes one pixel beyond the allocated row buffer, potentially leading to heap corruption.

The vulnerability carries a CVSS v3.1 base score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L), indicating network accessibility with low attack complexity, no required privileges or user interaction, and unchanged impact scope. Remote attackers can exploit it by supplying a crafted YUV image to an ImageMagick-based application or service, achieving limited denial-of-service effects such as application crashes or resource exhaustion due to the buffer overflow, without compromising confidentiality or integrity.

The official ImageMagick GitHub security advisory (GHSA-mqfc-82jx-3mr2) documents the issue and confirms that patches addressing the out-of-bounds write are included in versions 7.1.2-15 and 6.9.13-40. Security practitioners should prioritize upgrading affected ImageMagick installations to these patched versions and validate image inputs where possible to prevent exploitation.

EU & UK References

Vulnerability details

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, a heap buffer overflow write vulnerability exists in ReadYUVImage() (coders/yuv.c) when processing malicious YUV 4:2:2 (NoInterlace) images. The pixel-pair loop writes…

more

one pixel beyond the allocated row buffer. Versions 7.1.2-15 and 6.9.13-40 contain a patch.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Remote unauthenticated exploitation of ImageMagick image-processing services via crafted YUV files directly enables T1190 (Exploit Public-Facing Application) and produces application crashes/resource exhaustion, mapping to T1499.004 (Application or System Exploitation).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-32636Same product: Imagemagick Imagemagick
CVE-2026-25967Same product: Imagemagick Imagemagick
CVE-2026-25968Same product: Imagemagick Imagemagick
CVE-2026-33901Same product: Imagemagick Imagemagick
CVE-2026-28693Same product: Imagemagick Imagemagick
CVE-2026-25985Same product: Imagemagick Imagemagick
CVE-2026-25988Same product: Imagemagick Imagemagick
CVE-2026-25798Same product: Imagemagick Imagemagick
CVE-2026-25983Same product: Imagemagick Imagemagick
CVE-2026-25970Same product: Imagemagick Imagemagick

Affected Assets

imagemagick
imagemagick
≤ 6.9.13-40 · 7.0.0-0 — 7.1.2-15

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely application of the vendor patches (7.1.2-15 / 6.9.13-40) that close the out-of-bounds write in ReadYUVImage().

prevent

Mandates validation and sanitization of image inputs before they reach the vulnerable YUV 4:2:2 decoder, blocking the malicious pixel-pair data that triggers the heap overflow.

prevent

Provides memory-protection mechanisms that can contain or abort the heap buffer write before it produces exploitable corruption or a crash.

References