CVE-2026-25898 — Out-of-bounds Read in Imagemagick
Severity
9.1CRITICALNVD
OSV9.8
EPSS
0.0%
top 94.48%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedFeb 24
Latest updateMar 4
Description
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, the UIL and XPM image encoder do not validate the pixel index value returned by `GetPixelIndex()` before using it as an array subscript. In HDRI builds, `Quantum` is a floating-point type, so pixel index values can be negative. An attacker can craft an image with negative pixel index values to trigger a global buffer overflow read during conversion, leading to …
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:HExploitability: 3.9 | Impact: 5.2
Affected Packages5 packages
🔴Vulnerability Details
4GHSA▶
ImageMagick has Global Buffer Overflow (OOB Read) via Negative Pixel Index in UIL and XPM Writer↗2026-02-24
OSV▶
CVE-2026-25898: ImageMagick is free and open-source software used for editing and manipulating digital images↗2026-02-24
OSV▶
ImageMagick has Global Buffer Overflow (OOB Read) via Negative Pixel Index in UIL and XPM Writer↗2026-02-24