CVE-2026-25795
Received Received - Intake
NULL Pointer Dereference in ImageMagick ReadSFWImage Causes Crash

Publication date: 2026-02-24

Last updated on: 2026-02-24

Assigner: GitHub, Inc.

Description
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, in `ReadSFWImage()` (`coders/sfw.c`), when temporary file creation fails, `read_info` is destroyed before its `filename` member is accessed, causing a NULL pointer dereference and crash. Versions 7.1.2-15 and 6.9.13-40 contain a patch.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-24
Last Modified
2026-02-24
Generated
2026-06-16
AI Q&A
2026-02-24
EPSS Evaluated
2026-06-15
NVD
CVE-2026-25795
EUVD
EUVD-2026-7447
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
imagemagick imagemagick to 6.9.13-40 (exc)
imagemagick imagemagick From 7.0.0-0 (inc) to 7.1.2-15 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-476 The product dereferences a pointer that it expects to be valid but is NULL.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

This vulnerability causes a denial of service by crashing the ImageMagick application due to a NULL pointer dereference.

Since the crash can be triggered remotely without any privileges or user interaction, it could disrupt services relying on ImageMagick for image processing.

However, it does not impact confidentiality or integrity of data.

Compliance Impact

I don't know

Executive Summary

CVE-2026-25795 is a moderate severity vulnerability in ImageMagick affecting versions prior to 7.1.2-15 and 6.9.13-40.

The issue occurs in the ReadSFWImage() function within the coders/sfw.c file. Specifically, when the creation of a temporary file fails, the read_info structure is destroyed before its filename member is accessed.

This sequence leads to a NULL pointer dereference, causing the program to crash.

The vulnerability is identified as CWE-476 (NULL Pointer Dereference) and can be triggered remotely over a network without requiring any privileges or user interaction.

Detection Guidance

This vulnerability can be detected by monitoring for application crashes caused by NULL pointer dereferences in ImageMagick, specifically in the ReadSFWImage() function. The issue was originally detected using AddressSanitizer, which reported an unknown signal due to dereferencing a NULL pointer.

To detect this on your system, you can run ImageMagick with AddressSanitizer enabled to catch NULL pointer dereferences during image processing.

Additionally, monitoring system logs for crashes or segmentation faults related to ImageMagick processes can help identify exploitation attempts.

  • Use AddressSanitizer when compiling ImageMagick to detect NULL pointer dereferences.
  • Check system logs (e.g., /var/log/syslog or journalctl) for ImageMagick crashes.
  • Run commands like `dmesg | grep -i imagemagick` or `journalctl -xe | grep -i imagemagick` to find crash reports.
Mitigation Strategies

The immediate step to mitigate this vulnerability is to upgrade ImageMagick to a patched version. Versions 7.1.2-15 and 6.9.13-40 contain the fix for this issue.

Since the vulnerability can be triggered remotely without privileges or user interaction, applying the patch promptly is critical to prevent denial of service attacks.

  • Upgrade ImageMagick to version 7.1.2-15 or later, or 6.9.13-40 or later.
  • If upgrading immediately is not possible, consider restricting network access to services using vulnerable ImageMagick versions to reduce exposure.
  • Monitor application logs for crashes and restart services as needed to maintain availability.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-25795. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart