CVE-2026-25970

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2026-25970
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, a signed integer overflow vulnerability in ImageMagick's SIXEL decoder allows an attacker to trigger memory corruption and denial of service when processing a maliciously crafted SIXEL image file. The vulnerability occurs during buffer reallocation operations where pointer arithmetic using signed 32-bit integers overflows. Versions 7.1.2-15 and 6.9.13-40 contain a patch.

5.3 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact LOW

Scope UNCHANGED

References
Link Resource
https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-xg29-8ghv-v4xr Third Party Advisory
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:imagemagick:imagemagick:*:*:*:*:*:*:*:*
cpe:2.3:a:imagemagick:imagemagick:*:*:*:*:*:*:*:*
History

25 Feb 2026, 11:57

Type Values Removed Values Added
CPE cpe:2.3:a:imagemagick:imagemagick:*:*:*:*:*:*:*:*
First Time Imagemagick
Imagemagick imagemagick
References () https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-xg29-8ghv-v4xr - () https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-xg29-8ghv-v4xr - Third Party Advisory
Summary
  • (es) ImageMagick es un software libre y de código abierto utilizado para editar y manipular imágenes digitales. Antes de las versiones 7.1.2-15 y 6.9.13-40, una vulnerabilidad de desbordamiento de entero con signo en el decodificador SIXEL de ImageMagick permite a un atacante activar la corrupción de memoria y la denegación de servicio al procesar un archivo de imagen SIXEL creado maliciosamente. La vulnerabilidad ocurre durante las operaciones de reasignación de búfer donde la aritmética de punteros que utiliza enteros con signo de 32 bits se desborda. Las versiones 7.1.2-15 y 6.9.13-40 contienen un parche.

24 Feb 2026, 02:16

Type Values Removed Values Added
New CVE
Information

Published : 2026-02-24 02:16

Updated : 2026-02-25 11:57

NVD link : CVE-2026-25970

Mitre link : CVE-2026-25970

CVE.ORG link : CVE-2026-25970

JSON object : View

Products Affected

imagemagick

  • imagemagick
CWE
CWE-190

Integer Overflow or Wraparound