CVE-2026-25897
published 2026-02-24CVE-2026-25897: ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, an Integer Overflow…
PriorityP357critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.30%
21.8th percentile
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, an Integer Overflow vulnerability exists in the sun decoder. On 32-bit systems/builds, a carefully crafted image can lead to an out of bounds heap write. Versions 7.1.2-15 and 6.9.13-40 contain a patch.
Affected
15 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | imagemagick | < imagemagick 8:6.9.11.60+dfsg-1.6+deb12u7 (bookworm) | imagemagick 8:6.9.11.60+dfsg-1.6+deb12u7 (bookworm) |
| imagemagick | imagemagick | < 6.9.13-40 | 6.9.13-40 |
| imagemagick | imagemagick | — | — |
| imagemagick | imagemagick | >= 0 < 8:6.9.11.60+dfsg-1.3+deb11u10 | 8:6.9.11.60+dfsg-1.3+deb11u10 |
| imagemagick | imagemagick | >= 0 < 8:6.9.11.60+dfsg-1.6+deb12u7 | 8:6.9.11.60+dfsg-1.6+deb12u7 |
| imagemagick | imagemagick | >= 0 < 8:7.1.1.43+dfsg1-1+deb13u6 | 8:7.1.1.43+dfsg1-1+deb13u6 |
| imagemagick | imagemagick | >= 0 < 8:7.1.2.15+dfsg1-1 | 8:7.1.2.15+dfsg1-1 |
| imagemagick | imagemagick | >= 0 < 8:6.7.7.10-6ubuntu3.13+esm19 | 8:6.7.7.10-6ubuntu3.13+esm19 |
| imagemagick | imagemagick | >= 0 < 8:6.8.9.9-7ubuntu5.16+esm18 | 8:6.8.9.9-7ubuntu5.16+esm18 |
| imagemagick | imagemagick | >= 0 < 8:6.9.7.4+dfsg-16ubuntu6.15+esm10 | 8:6.9.7.4+dfsg-16ubuntu6.15+esm10 |
| imagemagick | imagemagick | >= 0 < 8:6.9.10.23+dfsg-2.1ubuntu11.11+esm8 | 8:6.9.10.23+dfsg-2.1ubuntu11.11+esm8 |
| imagemagick | imagemagick | >= 0 < 8:6.9.11.60+dfsg-1.3ubuntu0.22.04.5+esm8 | 8:6.9.11.60+dfsg-1.3ubuntu0.22.04.5+esm8 |
| imagemagick | imagemagick | >= 0 < 8:6.9.12.98+dfsg1-5.2ubuntu0.1~esm7 | 8:6.9.12.98+dfsg1-5.2ubuntu0.1~esm7 |
| imagemagick | imagemagick | >= 7.0.0-0 < 7.1.2-15 | 7.1.2-15 |
| ubuntu | imagemagick | — | — |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
osv9.8CRITICAL
vendor_debian6.5MEDIUM
vendor_redhat6.5MEDIUM
vendor_ubuntu6.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
imagemagick vulnerabilities
osv·2026-03-04·CVSS 9.8
CVE-2026-25897 [CRITICAL] imagemagick vulnerabilities
imagemagick vulnerabilities
It was discovered that ImageMagick did not properly decode certain SUN
image files. An attacker could use this issue to cause ImageMagick to crash,
resulting in a denial of service, or possibly execute arbitrary code.
(CVE-2026-25897)
It was discovered that ImageMagick did not properly validate pixel index
values when writing UIL and XPM image files. An attacker could use this issue
to cause ImageMagick to crash, resulting in a denial of service, or possibly
obtain sensitive information. (CVE-2026-25898)
It was discovered that ImageMagick's MSL decoder did not properly handle
certain attribute values. An attacker could use this issue to cause ImageMagick
to crash, resulting in a denial of service, or possibly execute arbitrary code.
(CVE-2026-25968)
It was d
OSV
ImageMagick: Heap overflow in sun decoder on 32-bit systems may result in out of bounds write
osv·2026-02-24
CVE-2026-25897 [MEDIUM] ImageMagick: Heap overflow in sun decoder on 32-bit systems may result in out of bounds write
ImageMagick: Heap overflow in sun decoder on 32-bit systems may result in out of bounds write
An Integer Overflow vulnerability exists in the sun decoder. On 32-bit systems/builds, a carefully crafted image can lead to an out of bounds heap write.
```
==1967675==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf190b50e at pc 0x5eae8777 bp 0xffb0fdd8 sp 0xffb0fdd0
WRITE of size 1 at 0xf190b50e thread T0
```
OSV
CVE-2026-25897: ImageMagick is free and open-source software used for editing and manipulating digital images
osv·2026-02-24·CVSS 9.8
CVE-2026-25897 [CRITICAL] CVE-2026-25897: ImageMagick is free and open-source software used for editing and manipulating digital images
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, an Integer Overflow vulnerability exists in the sun decoder. On 32-bit systems/builds, a carefully crafted image can lead to an out of bounds heap write. Versions 7.1.2-15 and 6.9.13-40 contain a patch.
GHSA
ImageMagick: Heap overflow in sun decoder on 32-bit systems may result in out of bounds write
ghsa·2026-02-24
CVE-2026-25897 [MEDIUM] CWE-122 ImageMagick: Heap overflow in sun decoder on 32-bit systems may result in out of bounds write
ImageMagick: Heap overflow in sun decoder on 32-bit systems may result in out of bounds write
An Integer Overflow vulnerability exists in the sun decoder. On 32-bit systems/builds, a carefully crafted image can lead to an out of bounds heap write.
```
==1967675==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf190b50e at pc 0x5eae8777 bp 0xffb0fdd8 sp 0xffb0fdd0
WRITE of size 1 at 0xf190b50e thread T0
```
Ubuntu
ImageMagick vulnerabilities
vendor_ubuntu·2026-05-11·CVSS 6.5
CVE-2026-25898 [MEDIUM] ImageMagick vulnerabilities
Title: ImageMagick vulnerabilities
Summary: Several security issues were fixed in ImageMagick.
It was discovered that ImageMagick incorrectly handled certain malformed
image files in certain instances. If a user or automated system using
ImageMagick were tricked into opening a specially crafted image, an
attacker could possibly use these issues to cause a denial of service or
possibly execute code. These issues only affected Ubuntu 14.04 LTS.
(CVE-2018-15607, CVE-2018-18544, CVE-2019-13137, CVE-2019-13391,
CVE-2019-13391)
It was discovered that ImageMagick incorrectly handled certain malformed
image files in certain instances. If a user or automated system using
ImageMagick were tricked into opening a specially crafted image, an
attacker could possibly use these issues to cause a denial
Ubuntu
ImageMagick vulnerabilities
vendor_ubuntu·2026-03-04·CVSS 6.5
CVE-2026-25968 [MEDIUM] ImageMagick vulnerabilities
Title: ImageMagick vulnerabilities
Summary: Several security issues were fixed in ImageMagick.
It was discovered that ImageMagick did not properly decode certain SUN
image files. An attacker could use this issue to cause ImageMagick to crash,
resulting in a denial of service, or possibly execute arbitrary code.
(CVE-2026-25897)
It was discovered that ImageMagick did not properly validate pixel index
values when writing UIL and XPM image files. An attacker could use this issue
to cause ImageMagick to crash, resulting in a denial of service, or possibly
obtain sensitive information. (CVE-2026-25898)
It was discovered that ImageMagick's MSL decoder did not properly handle
certain attribute values. An attacker could use this issue to cause ImageMagick
to crash, resulting in a denial of ser
Red Hat
ImageMagick: ImageMagick: Out-of-bounds heap write via integer overflow in sun decoder
vendor_redhat·2026-02-24·CVSS 6.5
CVE-2026-25897 [MEDIUM] CWE-190 ImageMagick: ImageMagick: Out-of-bounds heap write via integer overflow in sun decoder
ImageMagick: ImageMagick: Out-of-bounds heap write via integer overflow in sun decoder
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, an Integer Overflow vulnerability exists in the sun decoder. On 32-bit systems/builds, a carefully crafted image can lead to an out of bounds heap write. Versions 7.1.2-15 and 6.9.13-40 contain a patch.
A flaw was found in ImageMagick. An integer overflow vulnerability in the sun decoder allows a remote attacker to cause an out-of-bounds heap write by processing a carefully crafted image. This issue primarily affects 32-bit systems and builds, potentially leading to a denial of service.
Statement: This MODERATE impact vulnerability in ImageMagick's sun decoder can le
Debian
CVE-2026-25897: imagemagick - ImageMagick is free and open-source software used for editing and manipulating d...
vendor_debian·2026·CVSS 6.5
CVE-2026-25897 [MEDIUM] CVE-2026-25897: imagemagick - ImageMagick is free and open-source software used for editing and manipulating d...
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, an Integer Overflow vulnerability exists in the sun decoder. On 32-bit systems/builds, a carefully crafted image can lead to an out of bounds heap write. Versions 7.1.2-15 and 6.9.13-40 contain a patch.
Scope: local
bookworm: resolved (fixed in 8:6.9.11.60+dfsg-1.6+deb12u7)
bullseye: resolved (fixed in 8:6.9.11.60+dfsg-1.3+deb11u10)
forky: resolved (fixed in 8:7.1.2.15+dfsg1-1)
sid: resolved (fixed in 8:7.1.2.15+dfsg1-1)
trixie: resolved (fixed in 8:7.1.1.43+dfsg1-1+deb13u6)
No detection rules found.
No public exploits indexed.
2026-02-24
Published