CVE-2026-25989
Received Received - Intake
Off-by-One Vulnerability in ImageMagick SVG Causes DoS

Publication date: 2026-02-24

Last updated on: 2026-02-24

Assigner: GitHub, Inc.

Description
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, a crafted SVG file can cause a denial of service. An off-by-one boundary check (`>` instead of `>=`) that allows bypass the guard and reach an undefined `(size_t)` cast. Versions 7.1.2-15 and 6.9.13-40 contain a patch.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-24
Last Modified
2026-02-24
Generated
2026-06-16
AI Q&A
2026-02-24
EPSS Evaluated
2026-06-15
NVD
CVE-2026-25989
EUVD
EUVD-2026-7416
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
imagemagick imagemagick to 6.9.13-40 (exc)
imagemagick imagemagick From 7.0.0-0 (inc) to 7.1.2-15 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-681 When converting from one data type to another, such as long to integer, data can be omitted or translated in a way that produces unexpected values. If the resulting values are used in a sensitive context, then dangerous behaviors may occur.
CWE-190 The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number.
CWE-193 A product calculates or uses an incorrect maximum or minimum value that is 1 more, or 1 less, than the correct value.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-25989 is a high-severity vulnerability in ImageMagick, a software used for editing and manipulating digital images. The issue arises from an off-by-one boundary check error in the internal SVG decoder, where a '>' comparison is used instead of '>='. This mistake allows bypassing a guard condition and leads to an undefined cast to size_t. Specifically, a crafted SVG file can exploit this flaw to cause a denial of service."}, {'type': 'paragraph', 'content': 'The vulnerability involves integer overflow or wraparound (CWE-190) and incorrect conversion between numeric types (CWE-681), which cause unexpected and dangerous behavior. It can be exploited remotely without any privileges or user interaction.'}] [1]

Impact Analysis

This vulnerability can cause a denial of service (DoS) in ImageMagick when processing a specially crafted SVG file. An attacker can exploit this remotely without any privileges or user interaction, potentially causing the software or system using ImageMagick to crash or become unavailable.

Compliance Impact

I don't know

Detection Guidance

This vulnerability can be detected by identifying if your system is running a vulnerable version of ImageMagick prior to 7.1.2-15 or 6.9.13-40.

You can check the installed ImageMagick version using the following command:

  • magick -version

If the version is older than 7.1.2-15 or 6.9.13-40, your system is vulnerable.

Additionally, monitoring network traffic for suspicious SVG files being processed by ImageMagick could help detect exploitation attempts, but no specific detection commands are provided.

Mitigation Strategies

The immediate mitigation step is to update ImageMagick to a patched version.

  • Upgrade ImageMagick to version 7.1.2-15 or later, or 6.9.13-40 or later.

This update contains the fix for the off-by-one boundary check vulnerability that can cause denial of service.

Until the update can be applied, consider restricting or monitoring the processing of untrusted SVG files to reduce the risk of exploitation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-25989. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart