CVE-2026-25799
Division-by-Zero DoS in ImageMagick YUV Sampling Validation
Publication date: 2026-02-24
Last updated on: 2026-02-24
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| imagemagick | imagemagick | to 6.9.13-40 (exc) |
| imagemagick | imagemagick | From 7.0.0-0 (inc) to 7.1.2-15 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-369 | The product divides a value by zero. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-25799 is a moderate severity vulnerability in ImageMagick, a software used for editing and manipulating digital images. The issue arises from a logic error in validating YUV sampling factors during image loading. An invalid sampling factor can bypass these validation checks and cause a division-by-zero error in the ReadYUVImage function, leading to a crash.
This division-by-zero error results in a reliable denial-of-service (DoS) condition, meaning the software can be made to crash and become unavailable. The vulnerability can be exploited remotely without any privileges or user interaction.
How can this vulnerability impact me? :
This vulnerability can cause ImageMagick to crash during image loading, resulting in a denial-of-service (DoS) condition. This means that an attacker can remotely cause the software to become unavailable or stop functioning properly by sending specially crafted images with invalid YUV sampling factors.
Since the attack requires no privileges or user interaction and has low complexity, it can be easily exploited, potentially disrupting services or applications that rely on ImageMagick for image processing.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability manifests as a division-by-zero error during image loading in ImageMagick, causing a crash and denial-of-service. Detection can involve monitoring for runtime errors or crashes related to the ReadYUVImage function, especially those indicating division by zero.
Since the issue occurs during image processing, one way to detect it is by testing ImageMagick with crafted images containing invalid YUV sampling factors and observing if the application crashes.
There is no specific command provided in the resources, but you can attempt to process suspicious or untrusted images using ImageMagick commands like `magick convert` or `magick identify` and monitor for crashes or errors.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade ImageMagick to version 7.1.2-15 or later, or 6.9.13-40 or later, where the vulnerability has been patched.
Until the upgrade can be applied, avoid processing untrusted or potentially malicious images that could exploit the invalid YUV sampling factor logic error.