CVE-2026-25966
ImageMagick FD Pseudo-Filename Bypass Enables Stream Access
Publication date: 2026-02-24
Last updated on: 2026-02-25
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| imagemagick | imagemagick | to 6.9.13-40 (exc) |
| imagemagick | imagemagick | From 7.0.0-0 (inc) to 7.1.2-15 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-25966 is a moderate severity security vulnerability in ImageMagick versions prior to 7.1.2-15 and 6.9.13-40. The vulnerability arises because the security policy intended to block reading or writing from standard input/output streams does not block pseudo-filenames in the form of "fd:" (e.g., fd:0, fd:1). This omission allows attackers to bypass the security restriction and gain unauthorized access to stdin and stdout streams.'}, {'type': 'paragraph', 'content': 'The issue is due to improper access control (CWE-284) where the product fails to properly restrict access to these file descriptors. The recommended fix is to update the security policy to explicitly deny access to all "fd:" pseudo-filenames.'}] [1]
How can this vulnerability impact me? :
This vulnerability can allow an attacker to bypass security policies and gain unauthorized access to standard input and output streams (stdin and stdout) within ImageMagick. This could lead to unauthorized reading or writing of data, potentially compromising confidentiality, integrity, and availability to a low degree.
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
The attack requires local access but no privileges or user interaction, making it easier for a local attacker to exploit.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability involves a security policy bypass in ImageMagick related to the handling of fd:<n> pseudo-filenames which are not blocked by the default secure policy. Detection involves checking the ImageMagick security policy configuration for the presence or absence of rules blocking fd: pseudo-filenames.'}, {'type': 'paragraph', 'content': 'You can inspect the ImageMagick security policy file (usually named policy.xml or policy-secure.xml) to see if it contains a rule denying access to fd: pseudo-filenames.'}, {'type': 'list_item', 'content': 'Use a command like `grep \'fd:\' /etc/ImageMagick-7/policy.xml` or the equivalent path on your system to check if the pattern `<policy domain="path" rights="none" pattern="fd:*" />` is present.'}, {'type': 'list_item', 'content': 'Check the installed ImageMagick version with `magick -version` or `convert -version` to verify if it is prior to the patched versions 7.1.2-15 or 6.9.13-40.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'The recommended immediate mitigation is to update the ImageMagick security policy to explicitly deny access to all fd: pseudo-filenames.'}, {'type': 'paragraph', 'content': 'This can be done by adding the following rule to your security policy file (e.g., policy.xml or policy-secure.xml):'}, {'type': 'list_item', 'content': '<policy domain="path" rights="none" pattern="fd:*" />'}, {'type': 'paragraph', 'content': 'Alternatively, upgrading ImageMagick to version 7.1.2-15 or 6.9.13-40 or later will include this fix by default.'}] [1]