CVE-2026-25576
Heap Buffer Over-Read in ImageMagick Raw Image Processing
Publication date: 2026-02-24
Last updated on: 2026-02-27
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| imagemagick | imagemagick | to 6.9.13-40 (exc) |
| imagemagick | imagemagick | From 7.0.0-0 (inc) to 7.1.2-15 (exc) |
| dlemstra | magick.net | to 14.10.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-122 | A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc(). |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-25576 is a moderate severity heap buffer over-read vulnerability in ImageMagick, a software used for editing and manipulating digital images. The vulnerability occurs when processing images where the specified -extract dimensions are larger than the -size dimensions, causing the software to read memory beyond the allocated heap buffer. This out-of-bounds memory read happens in multiple raw image format handlers before versions 7.1.2-15 and 6.9.13-40, which contain patches for this issue.'}, {'type': 'paragraph', 'content': "Technically, the problem was due to loops iterating over pixel columns using the image's column count without ensuring it did not exceed the canvas image's column count. This led to out-of-bounds reads in coders handling raw pixel data formats like BGR, CMYK, GRAY, RAW, RGB, and YCbCr. The fix involved bounding these loops to the minimum of the image and canvas columns to prevent memory access beyond allocated buffers."}] [1, 2]
How can this vulnerability impact me? :
This vulnerability can lead to a heap buffer over-read, which means that ImageMagick may read memory beyond what was allocated for image data. While it does not affect integrity or availability, it has a high impact on confidentiality, potentially exposing sensitive information from memory.
Because the attack vector is local and requires high attack complexity, an attacker would need local access and specific conditions to exploit this vulnerability. However, no privileges or user interaction are required, so if exploited, it could leak confidential data from the system memory where ImageMagick is running.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability occurs when ImageMagick processes images with the -extract dimensions larger than the -size dimensions, causing out-of-bounds memory reads. Detection involves identifying usage of vulnerable ImageMagick versions and monitoring image processing commands that use these parameters.
To detect if your system is vulnerable, first check the installed ImageMagick version:
- magick --version
If the version is prior to 7.1.2-15 or 6.9.13-40, it is vulnerable. You can also monitor or audit commands that process images with -extract and -size options where -extract dimensions exceed -size dimensions, for example:
- magick input.raw -size WxH -extract WxH output.png
Look for scripts or automated processes invoking ImageMagick with these parameters. Network detection is limited since this is a local vulnerability triggered by crafted image files.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade ImageMagick to a patched version that fixes this vulnerability.
- Upgrade to ImageMagick version 7.1.2-15 or later, or 6.9.13-40 or later.
If upgrading immediately is not possible, avoid processing untrusted raw image files, especially those using the -extract option with dimensions larger than -size.
Additionally, review and restrict usage of ImageMagick commands that handle raw image formats (BGR, CMYK, GRAY, RAW, RGB, YCbCr) to trusted inputs only.