ImageMagick, Heap Out-of-Bounds Read, CVE-2026-25982 (Medium)

Listen to this Post

The vulnerability, identified as CVE-2026-25982, is a heap out-of-bounds read flaw found in ImageMagick’s DICOM decoder within `coders/dcm.c` . It arises when the software processes a specially crafted DICOM (Digital Imaging and Communications in Medicine) file . Due to an error in the decoding loop’s byte-counting logic for specific file configurations, the `ReadDCMImage` function attempts to read data beyond the boundaries of the allocated heap buffer . This incorrect memory access can lead to two primary impacts: a Denial of Service (DoS) through application crashes, or an Information Disclosure where sensitive data from adjacent heap memory is inadvertently leaked into the processed image output . The issue is present in ImageMagick versions before 7.1.2-15 and 6.9.13-40, and consequently affects various Magick.NET NuGet packages before version 14.10.3. Patches have been released to correct the loop’s bounds checking .

dailycve form:

Platform: ImageMagick
Version: <6.9.13-40, <7.1.2-15
Vulnerability : Out-of-bounds Read
Severity: Medium (6.5)
date: Feb 23, 2026

Prediction: Patches released

What Undercode Say:

Analytics:

The vulnerability is remotely exploitable without authentication or user interaction, making it a significant threat to any service processing DICOM images . Its CVSS v3.1 base score is 6.5, with the vector `AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L` . This indicates a low impact on confidentiality and availability, with no impact on integrity. The vulnerability is classified under CWE-125 (Out-of-bounds Read) .

Bash Commands:

Check your installed ImageMagick version
identify -version | grep Version
Check Debian/Ubuntu package version
dpkg -l | grep imagemagick
Check Red Hat/CentOS/Fedora package version
rpm -qa | grep ImageMagick
Disable DICOM processing as a workaround (add to policy.xml)
cat << EOF | sudo tee -a /etc/ImageMagick-7/policy.xml
<policy domain="coder" rights="none" pattern="DCM" />
<policy domain="coder" rights="none" pattern="DICOM" />
EOF

Exploit:

An attacker crafts a malicious DICOM file with specific configuration parameters that trigger the flawed decoding loop in `coders/dcm.c` . When a vulnerable ImageMagick instance processes this file, the loop miscalculates the number of bytes to read per iteration, causing the `ReadDCMImage` function to read past the end of the allocated heap buffer .

Protection from this CVE:

Patch Immediately: Upgrade ImageMagick to version 6.9.13-40 or later for the 6.x branch, or 7.1.2-15 or later for the 7.x branch . For .NET applications, update the relevant Magick.NET NuGet package to version 14.10.3 or later.
Workaround: If immediate patching is not possible, disable DICOM format support by modifying ImageMagick’s `policy.xml` file as shown in the bash commands above .
Isolate Processing: Process all untrusted DICOM files in a sandboxed or isolated environment to contain potential crashes or memory leaks .

Impact:

Successful exploitation can lead to a Denial of Service, causing the application to crash . More critically, it can result in Information Disclosure, where the out-of-bounds read leaks portions of heap memory into the resulting image, potentially exposing sensitive data from the system’s memory . This is particularly severe in medical or PACS environments where DICOM is standard .

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top