ImageMagick, Heap Buffer Overflow, CVE-2026-25986 (Moderate)

Listen to this Post

A heap buffer overflow vulnerability exists in ImageMagick’s `ReadYUVImage()` function within `coders/yuv.c` when processing maliciously crafted YUV 4:2:2 images with the ‘NoInterlace’ option. The flaw occurs due to an incorrect bounds check in the pixel-pair processing loop. For each row of pixel data, the loop iterates based on the image width, but a miscalculation causes it to write one additional pixel beyond the end of the allocated heap buffer for that row. This out-of-bounds write can corrupt adjacent heap memory, leading to a program crash (denial of service) . Under specific conditions, an attacker could potentially leverage this memory corruption to alter program behavior or execute arbitrary code . The issue affects ImageMagick versions prior to 6.9.13-40 and 7.1.2-15 . Patches were committed to the ImageMagick GitHub repository on February 23, 2026, and are included in the fixed versions .

dailycve form:

Platform: ImageMagick
Version: <6.9.13-40, <7.1.2-15
Vulnerability : Heap Buffer Overflow
Severity: Moderate
date: February 24, 2026

Prediction: Patched versions released

What Undercode Say:

Analytics:

  • CVE ID: CVE-2026-25986
  • CVSS Score: 5.3 (Medium) [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L]
  • CWE: CWE-787 (Out-of-bounds Write) or CWE-805 (Buffer Access with Incorrect Length Value)
  • Attack Vector: Network
  • Privileges Required: None
  • User Interaction: None

Exploit:

A remote attacker can trigger this vulnerability by crafting a malicious YUV 4:2:2 (NoInterlace) image and enticing a user or automated process to open it with a vulnerable version of ImageMagick. The exploit leverages the heap buffer overflow to cause a denial of service. While public proof-of-concept (PoC) code is not confirmed, the nature of the overflow (one pixel beyond the buffer) makes it potentially reproducible .

Example of how an attacker might invoke the vulnerable decoder
This would cause the vulnerable ImageMagick to process the malicious file.
convert malicious.yuv output.png

Protection from this CVE:

  1. Patch Immediately: Upgrade to ImageMagick version `6.9.13-40` or 7.1.2-15, or any later patched version .
  2. Vendor Updates: Apply security updates from your Linux distribution (Red Hat, Debian, Ubuntu, SUSE, etc.) as they become available .
  3. Input Sanitization: Avoid processing untrusted YUV 4:2:2 image files, especially from unknown sources .
  4. Sandboxing: If ImageMagick is used in automated workflows (e.g., web applications), run it in a sandboxed or containerized environment to limit the impact of a successful exploit .
    Check your current ImageMagick version
    identify -version
    Example of updating on Debian/Ubuntu
    sudo apt update
    sudo apt install --only-upgrade imagemagick
    Example of updating on RHEL/CentOS/Fedora
    sudo yum update ImageMagick
    or
    sudo dnf update ImageMagick
    

Impact:

  • Availability: High. The primary impact is a denial of service, causing the application to crash due to heap corruption .
  • Integrity: Potentially Low to High. While the official CVSS vector rates integrity impact as ‘None’ , heap overflows can sometimes be leveraged for arbitrary code execution, which would compromise integrity .
  • Confidentiality: Potentially Low. Like integrity, arbitrary code execution resulting from this overflow could lead to information disclosure.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top