CVE-2026-25795
NULL Pointer Dereference in ImageMagick ReadSFWImage Causes Crash
Publication date: 2026-02-24
Last updated on: 2026-02-24
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| imagemagick | imagemagick | to 6.9.13-40 (exc) |
| imagemagick | imagemagick | From 7.0.0-0 (inc) to 7.1.2-15 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-476 | The product dereferences a pointer that it expects to be valid but is NULL. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
This vulnerability causes a denial of service by crashing the ImageMagick application due to a NULL pointer dereference.
Since the crash can be triggered remotely without any privileges or user interaction, it could disrupt services relying on ImageMagick for image processing.
However, it does not impact confidentiality or integrity of data.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
Can you explain this vulnerability to me?
CVE-2026-25795 is a moderate severity vulnerability in ImageMagick affecting versions prior to 7.1.2-15 and 6.9.13-40.
The issue occurs in the ReadSFWImage() function within the coders/sfw.c file. Specifically, when the creation of a temporary file fails, the read_info structure is destroyed before its filename member is accessed.
This sequence leads to a NULL pointer dereference, causing the program to crash.
The vulnerability is identified as CWE-476 (NULL Pointer Dereference) and can be triggered remotely over a network without requiring any privileges or user interaction.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for application crashes caused by NULL pointer dereferences in ImageMagick, specifically in the ReadSFWImage() function. The issue was originally detected using AddressSanitizer, which reported an unknown signal due to dereferencing a NULL pointer.
To detect this on your system, you can run ImageMagick with AddressSanitizer enabled to catch NULL pointer dereferences during image processing.
Additionally, monitoring system logs for crashes or segmentation faults related to ImageMagick processes can help identify exploitation attempts.
- Use AddressSanitizer when compiling ImageMagick to detect NULL pointer dereferences.
- Check system logs (e.g., /var/log/syslog or journalctl) for ImageMagick crashes.
- Run commands like `dmesg | grep -i imagemagick` or `journalctl -xe | grep -i imagemagick` to find crash reports.
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate this vulnerability is to upgrade ImageMagick to a patched version. Versions 7.1.2-15 and 6.9.13-40 contain the fix for this issue.
Since the vulnerability can be triggered remotely without privileges or user interaction, applying the patch promptly is critical to prevent denial of service attacks.
- Upgrade ImageMagick to version 7.1.2-15 or later, or 6.9.13-40 or later.
- If upgrading immediately is not possible, consider restricting network access to services using vulnerable ImageMagick versions to reduce exposure.
- Monitor application logs for crashes and restart services as needed to maintain availability.