CVE-2026-25966
Received Received - Intake
ImageMagick FD Pseudo-Filename Bypass Enables Stream Access

Publication date: 2026-02-24

Last updated on: 2026-02-25

Assigner: GitHub, Inc.

Description
ImageMagick is free and open-source software used for editing and manipulating digital images. The shipped "secure" security policy includes a rule intended to prevent reading/writing from standard streams. However, ImageMagick also supports fd:<n> pseudo-filenames (e.g., fd:0, fd:1). Prior to versions 7.1.2-15 and 6.9.13-40, this path form is not blocked by the secure policy templates, and therefore bypasses the protection goal of "no stdin/stdout." Versions 7.1.2-15 and 6.9.13-40 contain a patch by including a change to the more secure policies by default. As a workaround, add the change to one's security policy manually.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-24
Last Modified
2026-02-25
Generated
2026-06-16
AI Q&A
2026-02-24
EPSS Evaluated
2026-06-14
NVD
CVE-2026-25966
EUVD
EUVD-2026-7437
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
imagemagick imagemagick to 6.9.13-40 (exc)
imagemagick imagemagick From 7.0.0-0 (inc) to 7.1.2-15 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-25966 is a moderate severity security vulnerability in ImageMagick versions prior to 7.1.2-15 and 6.9.13-40. The vulnerability arises because the security policy intended to block reading or writing from standard input/output streams does not block pseudo-filenames in the form of "fd:" (e.g., fd:0, fd:1). This omission allows attackers to bypass the security restriction and gain unauthorized access to stdin and stdout streams.'}, {'type': 'paragraph', 'content': 'The issue is due to improper access control (CWE-284) where the product fails to properly restrict access to these file descriptors. The recommended fix is to update the security policy to explicitly deny access to all "fd:" pseudo-filenames.'}] [1]

Impact Analysis

This vulnerability can allow an attacker to bypass security policies and gain unauthorized access to standard input and output streams (stdin and stdout) within ImageMagick. This could lead to unauthorized reading or writing of data, potentially compromising confidentiality, integrity, and availability to a low degree.

  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

The attack requires local access but no privileges or user interaction, making it easier for a local attacker to exploit.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability involves a security policy bypass in ImageMagick related to the handling of fd:<n> pseudo-filenames which are not blocked by the default secure policy. Detection involves checking the ImageMagick security policy configuration for the presence or absence of rules blocking fd: pseudo-filenames.'}, {'type': 'paragraph', 'content': 'You can inspect the ImageMagick security policy file (usually named policy.xml or policy-secure.xml) to see if it contains a rule denying access to fd: pseudo-filenames.'}, {'type': 'list_item', 'content': 'Use a command like `grep \'fd:\' /etc/ImageMagick-7/policy.xml` or the equivalent path on your system to check if the pattern `<policy domain="path" rights="none" pattern="fd:*" />` is present.'}, {'type': 'list_item', 'content': 'Check the installed ImageMagick version with `magick -version` or `convert -version` to verify if it is prior to the patched versions 7.1.2-15 or 6.9.13-40.'}] [1]

Mitigation Strategies

[{'type': 'paragraph', 'content': 'The recommended immediate mitigation is to update the ImageMagick security policy to explicitly deny access to all fd: pseudo-filenames.'}, {'type': 'paragraph', 'content': 'This can be done by adding the following rule to your security policy file (e.g., policy.xml or policy-secure.xml):'}, {'type': 'list_item', 'content': '<policy domain="path" rights="none" pattern="fd:*" />'}, {'type': 'paragraph', 'content': 'Alternatively, upgrading ImageMagick to version 7.1.2-15 or 6.9.13-40 or later will include this fix by default.'}] [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-25966. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart