{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25966", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-09T17:13:54.067Z", "datePublished": "2026-02-24T01:27:53.943Z", "dateUpdated": "2026-02-26T21:33:40.025Z"}, "containers": {"cna": {"title": "ImageMagick's Security Policy Bypass through config/policy-secure.xml via \"fd handler\" leads to stdin/stdout access", "problemTypes": [{"descriptions": [{"cweId": "CWE-284", "lang": "en", "description": "CWE-284: Improper Access Control", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-xwc6-v6g8-pw2h", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-xwc6-v6g8-pw2h"}], "affected": [{"vendor": "ImageMagick", "product": "ImageMagick", "versions": [{"version": ">= 7.0.0, < 7.1.2-15", "status": "affected"}, {"version": "< 6.9.13-40", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-24T01:27:53.943Z"}, "descriptions": [{"lang": "en", "value": "ImageMagick is free and open-source software used for editing and manipulating digital images. The shipped \"secure\" security policy includes a rule intended to prevent reading/writing from standard streams. However, ImageMagick also supports fd:<n> pseudo-filenames (e.g., fd:0, fd:1). Prior to versions 7.1.2-15 and 6.9.13-40, this path form is not blocked by the secure policy templates, and therefore bypasses the protection goal of \"no stdin/stdout.\" Versions 7.1.2-15 and 6.9.13-40 contain a patch by including a change to the more secure policies by default. As a workaround, add the change to one's security policy manually."}], "source": {"advisory": "GHSA-xwc6-v6g8-pw2h", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25966", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-26T21:02:30.439529Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-26T21:33:40.025Z"}}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:imagemagick:imagemagick:*:*:*:*:*:*:*:*", "matchCriteriaId": "C6F44A65-1733-4752-AAD0-BCCC7BDBC877", "versionEndExcluding": "6.9.13-40", "vulnerable": true}, {"criteria": "cpe:2.3:a:imagemagick:imagemagick:*:*:*:*:*:*:*:*", "matchCriteriaId": "6AFFD439-1068-4B6F-AE01-724AC62CDCEA", "versionEndExcluding": "7.1.2-15", "versionStartIncluding": "7.0.0-0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "ImageMagick is free and open-source software used for editing and manipulating digital images. The shipped \"secure\" security policy includes a rule intended to prevent reading/writing from standard streams. However, ImageMagick also supports fd:<n> pseudo-filenames (e.g., fd:0, fd:1). Prior to versions 7.1.2-15 and 6.9.13-40, this path form is not blocked by the secure policy templates, and therefore bypasses the protection goal of \"no stdin/stdout.\" Versions 7.1.2-15 and 6.9.13-40 contain a patch by including a change to the more secure policies by default. As a workaround, add the change to one's security policy manually."}, {"lang": "es", "value": "ImageMagick es un software libre y de c\u00f3digo abierto utilizado para editar y manipular im\u00e1genes digitales. La pol\u00edtica de seguridad 'segura' que se distribuye incluye una regla destinada a prevenir la lectura/escritura desde flujos est\u00e1ndar. Sin embargo, ImageMagick tambi\u00e9n soporta pseudo-nombres de archivo fd: (por ejemplo, fd:0, fd:1). Antes de las versiones 7.1.2-15 y 6.9.13-40, esta forma de ruta no es bloqueada por las plantillas de pol\u00edtica segura, y por lo tanto elude el objetivo de protecci\u00f3n de 'no stdin/stdout'. Las versiones 7.1.2-15 y 6.9.13-40 contienen un parche al incluir un cambio en las pol\u00edticas m\u00e1s seguras por defecto. Como soluci\u00f3n alternativa, a\u00f1ada el cambio a la pol\u00edtica de seguridad propia manualmente."}], "id": "CVE-2026-25966", "lastModified": "2026-02-25T11:59:20.327", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.5, "impactScore": 3.4, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-02-24T02:16:01.330", "references": [{"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-xwc6-v6g8-pw2h"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}], "source": "security-advisories@github.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "ImageMagick: ImageMagick: Policy bypass allows unauthorized access to standard streams via fd:<n> pseudo-filenames", "id": "2442122", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2442122"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.9", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "status": "draft"}, "cwe": "CWE-184", "details": ["A flaw was found in ImageMagick. The \"secure\" security policy, intended to prevent reading and writing from standard streams, can be bypassed. An attacker can exploit this by using fd:<n> pseudo-filenames, which are not properly blocked by the policy. This allows the attacker to circumvent the intended security restrictions, potentially leading to unauthorized access to standard input/output (stdin/stdout) and subsequent information disclosure or data manipulation."], "mitigation": {"lang": "en:us", "value": "To mitigate this issue, modify the ImageMagick security policy file, typically located at `/etc/ImageMagick-X/policy.xml` (where X is the version), to explicitly deny access to `fd:` pseudo-filenames. Add a policy rule similar to `<policy domain=\"delegate\" rights=\"none\" pattern=\"fd:*\" />` within the `<policymap>` section. This change will prevent ImageMagick from processing `fd:` paths, thereby closing the bypass. A restart of any services utilizing ImageMagick may be required for the policy change to take effect."}, "name": "CVE-2026-25966", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "ImageMagick", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "ImageMagick", "product_name": "Red Hat Enterprise Linux 7"}], "public_date": "2026-02-24T01:27:53Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-25966\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-25966\nhttps://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-xwc6-v6g8-pw2h"], "statement": "This MODERATE impact flaw in ImageMagick allows a security policy bypass through the use of `fd:<n>` pseudo-filenames, enabling unauthorized access to standard input/output despite the \"secure\" policy. Red Hat Enterprise Linux 6 ELS and 7 ELS, as well as community projects like Fedora and EPEL, are affected by this vulnerability. Exploitation requires an attacker to provide a specially crafted image or command that leverages this bypass.", "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[7.0.0,7.1.2-15)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,6.9.13-40)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "ImageMagick", "source": "cna", "vendor": "ImageMagick"}, "product": "imagemagick", "vendor": "imagemagick"}], "analysis": {"en": {"generated_at": "2026-04-18T10:59:52.588138+00:00", "value": {"mitigation_remediation": ["Upgrade ImageMagick to at least version 7.1.2\u201115 or 6.9.13\u201140, which include the policy change that blocks fd: pseudo-filenames by default.", "If an upgrade is not possible, manually edit the config/policy-secure.xml file to add a rule that disallows fd: pseudo-filenames from accessing standard streams.", "Consider tightening the application\u2019s file handling to avoid passing standard streams to ImageMagick in untrusted contexts."], "summary": {"action": "Apply Patch", "impact": "Unauthorized access to stdin/stdout via policy bypass"}, "threat_synthesis": {"affected_systems": "ImageMagick installations built on versions older than 7.1.2\u201115 or 6.9.13\u201140 are vulnerable. The flaw resides in the default security policy file, config/policy-secure.xml, where the rule that blocks standard stream access does not apply to fd: references. The affected product is the ImageMagick image manipulation library and its associated command-line tools.", "description_and_impact": "The vulnerability allows an attacker to override ImageMagick\u2019s secure policy and access standard input and output streams by using the fd: pseudo-filename syntax (e.g., fd:0, fd:1). This bypass of the policy can lead to unintended data reads or writes, exposing sensitive information or permitting malicious content to be injected through the standard streams. The weakness is an improper access control flaw (CWE-284) and an information transfer flaw (CWE-184). The impact is therefore a moderate level of data exposure and potential misuse of the image processing service.", "risk_and_exploitability": "The CVSS score of 5.9 indicates a moderate risk. The EPSS score of less than 1% suggests a low probability of exploitation at this time, and the vulnerability is not included in CISA\u2019s Known Exploited Vulnerabilities catalog. The likely attack vector is local or remote through any application that accepts user-supplied image data and passes it to ImageMagick with standard stream operations; an attacker who can craft such input can read from or write to the process\u2019s stdin or stdout."}}}}, "created": "2026-02-24T09:54:00.458843+00:00", "updated": "2026-04-18T11:00:05.752758+00:00", "vendors": ["imagemagick", "imagemagick$PRODUCT$imagemagick"]}