{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25794", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-05T19:58:01.640Z", "datePublished": "2026-02-24T00:53:23.396Z", "dateUpdated": "2026-02-26T15:05:26.408Z"}, "containers": {"cna": {"title": "ImageMagick has heap-buffer-overflow via signed integer overflow in `WriteUHDRImage` when writing UHDR images with large dimensions", "problemTypes": [{"descriptions": [{"cweId": "CWE-122", "lang": "en", "description": "CWE-122: Heap-based Buffer Overflow", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-190", "lang": "en", "description": "CWE-190: Integer Overflow or Wraparound", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-vhqj-f5cj-9x8h", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-vhqj-f5cj-9x8h"}], "affected": [{"vendor": "ImageMagick", "product": "ImageMagick", "versions": [{"version": "< 7.1.2-15", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-24T00:53:23.396Z"}, "descriptions": [{"lang": "en", "value": "ImageMagick is free and open-source software used for editing and manipulating digital images. `WriteUHDRImage` in `coders/uhdr.c` uses `int` arithmetic to compute the pixel buffer size. Prior to version 7.1.2-15, when image dimensions are large, the multiplication overflows 32-bit `int`, causing an undersized heap allocation followed by an out-of-bounds write. This can crash the process or potentially lead to an out of bounds heap write. Version 7.1.2-15 contains a patch."}], "source": {"advisory": "GHSA-vhqj-f5cj-9x8h", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-26T15:04:46.335773Z", "id": "CVE-2026-25794", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-26T15:05:26.408Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25794", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-05T19:58:01.640Z", "datePublished": "2026-02-24T00:53:23.396Z", "dateUpdated": "2026-02-26T15:05:26.408Z"}, "containers": {"cna": {"title": "ImageMagick has heap-buffer-overflow via signed integer overflow in `WriteUHDRImage` when writing UHDR images with large dimensions", "problemTypes": [{"descriptions": [{"cweId": "CWE-122", "lang": "en", "description": "CWE-122: Heap-based Buffer Overflow", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-190", "lang": "en", "description": "CWE-190: Integer Overflow or Wraparound", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-vhqj-f5cj-9x8h", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-vhqj-f5cj-9x8h"}], "affected": [{"vendor": "ImageMagick", "product": "ImageMagick", "versions": [{"version": "< 7.1.2-15", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-24T00:53:23.396Z"}, "descriptions": [{"lang": "en", "value": "ImageMagick is free and open-source software used for editing and manipulating digital images. `WriteUHDRImage` in `coders/uhdr.c` uses `int` arithmetic to compute the pixel buffer size. Prior to version 7.1.2-15, when image dimensions are large, the multiplication overflows 32-bit `int`, causing an undersized heap allocation followed by an out-of-bounds write. This can crash the process or potentially lead to an out of bounds heap write. Version 7.1.2-15 contains a patch."}], "source": {"advisory": "GHSA-vhqj-f5cj-9x8h", "discovery": "UNKNOWN"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25794", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-26T15:04:46.335773Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-26T15:05:21.115Z"}}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:imagemagick:imagemagick:*:*:*:*:*:*:*:*", "matchCriteriaId": "B89F5759-9F8D-4C89-8D35-0FCE2AE715A4", "versionEndExcluding": "7.1.2-15", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "ImageMagick is free and open-source software used for editing and manipulating digital images. `WriteUHDRImage` in `coders/uhdr.c` uses `int` arithmetic to compute the pixel buffer size. Prior to version 7.1.2-15, when image dimensions are large, the multiplication overflows 32-bit `int`, causing an undersized heap allocation followed by an out-of-bounds write. This can crash the process or potentially lead to an out of bounds heap write. Version 7.1.2-15 contains a patch."}, {"lang": "es", "value": "ImageMagick es un software libre y de c\u00f3digo abierto utilizado para editar y manipular im\u00e1genes digitales. 'WriteUHDRImage' en 'coders/uhdr.c' utiliza aritm\u00e9tica de tipo 'int' para calcular el tama\u00f1o del b\u00fafer de p\u00edxeles. Antes de la versi\u00f3n 7.1.2-15, cuando las dimensiones de la imagen son grandes, la multiplicaci\u00f3n desborda el tipo 'int' de 32 bits, lo que provoca una asignaci\u00f3n de heap de tama\u00f1o insuficiente seguida de una escritura fuera de l\u00edmites. Esto puede bloquear el proceso o potencialmente conducir a una escritura de heap fuera de l\u00edmites. La versi\u00f3n 7.1.2-15 contiene un parche."}], "id": "CVE-2026-25794", "lastModified": "2026-02-24T17:28:54.433", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-24T01:16:13.970", "references": [{"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-vhqj-f5cj-9x8h"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-122"}, {"lang": "en", "value": "CWE-190"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "ImageMagick: ImageMagick: Denial of service and potential arbitrary code execution via integer overflow in image processing", "id": "2442110", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2442110"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.2", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H", "status": "draft"}, "cwe": "CWE-190", "details": ["A flaw was found in ImageMagick. When processing images with large dimensions, the `WriteUHDRImage` function in `coders/uhdr.c` uses integer arithmetic that can overflow. This overflow leads to an undersized memory allocation, followed by an out-of-bounds write. A remote attacker could exploit this vulnerability by providing a specially crafted image, potentially causing a denial of service or, in some cases, arbitrary code execution."], "mitigation": {"lang": "en:us", "value": "To mitigate this vulnerability, avoid processing untrusted or maliciously crafted UHDR image files with ImageMagick. Limiting the exposure of ImageMagick to untrusted input can reduce the risk of exploitation."}, "name": "CVE-2026-25794", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "ImageMagick", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "ImageMagick", "product_name": "Red Hat Enterprise Linux 7"}], "public_date": "2026-02-24T00:53:23Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-25794\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-25794\nhttps://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-vhqj-f5cj-9x8h"], "statement": "This IMPORTANT heap-buffer-overflow vulnerability in ImageMagick's `WriteUHDRImage` function can lead to a denial of service or potentially arbitrary code execution when processing specially crafted UHDR images with excessively large dimensions. Red Hat Enterprise Linux 6 ELS and 7 ELS are affected by this flaw, which occurs due to a signed integer overflow during pixel buffer size calculation.", "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,7.1.2-15)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "ImageMagick", "source": "cna", "vendor": "ImageMagick"}, "product": "imagemagick", "vendor": "imagemagick"}], "analysis": {"en": {"generated_at": "2026-04-18T17:45:52.168541+00:00", "value": {"mitigation_remediation": ["Update ImageMagick to version 7.1.2\u201115 or later to apply the vendor patch.", "If updating is infeasible, limit UHDR image processing to trusted inputs and verify that image dimensions are within safe bounds before invoking WriteUHDRImage.", "For systems that cannot immediately upgrade or restrict input, apply a runtime monitor or sandbox to contain potential heap corruption from untrusted images."], "summary": {"action": "Immediate Patch", "impact": "Out of bounds heap write potentially leading to crash"}, "threat_synthesis": {"affected_systems": "ImageMagick software, all releases prior to version 7.1.2\u201115. Versions 7.1.2\u201115 and later contain the patch that prevents the signed integer overflow and protects buffer allocation.", "description_and_impact": "WriteUHDRImage in ImageMagick computes the pixel buffer size using 32\u2011bit signed arithmetic. When a UHDR image with large dimensions is processed, the multiplication overflows, causing a buffer that is too small to be allocated. The resulting out\u2011of\u2011bounds write can corrupt heap memory, crash the image processing process. This flaw is identified as a heap buffer overflow and an integer overflow (CWE\u2011122 and CWE\u2011190).", "risk_and_exploitability": "The vulnerability scores a 8.2 on CVSS, indicating high severity, but the EPSS score is reported as less than 1%, showing a very low likelihood of opportunistic exploitation. The flaw is not listed in the CISA KEV catalog. Based on the description, it is inferred that attackers would need to supply a malicious UHDR image with sufficiently large dimensions to trigger the overflow; therefore the likely attack vector is a local or privileged process that processes crafted images."}}}}, "created": "2026-02-24T09:54:10.651224+00:00", "updated": "2026-04-18T18:00:06.447429+00:00", "vendors": ["imagemagick", "imagemagick$PRODUCT$imagemagick"]}