CVE-2026-25986
Published: 24 February 2026
Summary
CVE-2026-25986 is a medium-severity Out-of-bounds Write (CWE-787) vulnerability in Imagemagick Imagemagick. Its CVSS base score is 5.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 7.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Out-of-bounds writes that corrupt control flow or inject shellcode are rendered non-executable by the same memory protections.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated exploitation of ImageMagick image-processing services via crafted YUV files directly enables T1190 (Exploit Public-Facing Application) and produces application crashes/resource exhaustion, mapping to T1499.004 (Application or System Exploitation).
NVD Description
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, a heap buffer overflow write vulnerability exists in ReadYUVImage() (coders/yuv.c) when processing malicious YUV 4:2:2 (NoInterlace) images. The pixel-pair loop writes…
more
one pixel beyond the allocated row buffer. Versions 7.1.2-15 and 6.9.13-40 contain a patch.
Deeper analysisAI
CVE-2026-25986 is a heap buffer overflow write vulnerability (CWE-787) in ImageMagick, a free and open-source software suite for editing and manipulating digital images. It affects all versions prior to 7.1.2-15 and 6.9.13-40, specifically in the ReadYUVImage() function within coders/yuv.c. The flaw occurs when processing malicious YUV 4:2:2 (NoInterlace) images, where a pixel-pair loop writes one pixel beyond the allocated row buffer, potentially leading to heap corruption.
The vulnerability carries a CVSS v3.1 base score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L), indicating network accessibility with low attack complexity, no required privileges or user interaction, and unchanged impact scope. Remote attackers can exploit it by supplying a crafted YUV image to an ImageMagick-based application or service, achieving limited denial-of-service effects such as application crashes or resource exhaustion due to the buffer overflow, without compromising confidentiality or integrity.
The official ImageMagick GitHub security advisory (GHSA-mqfc-82jx-3mr2) documents the issue and confirms that patches addressing the out-of-bounds write are included in versions 7.1.2-15 and 6.9.13-40. Security practitioners should prioritize upgrading affected ImageMagick installations to these patched versions and validate image inputs where possible to prevent exploitation.
Details
- CWE(s)