ImageMagick crashes or leaks sensitive data with specific image files

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

5.3

ImageMagick crashes or leaks sensitive data with specific image files

CVE-2026-25987 GHSA-42p5-62qq-mmh7 CVE-2026-25987

Summary

ImageMagick, a popular image editing software, has a security flaw in its MAP image decoder. This means that if an attacker sends a specially crafted image file, it could cause the software to crash or accidentally reveal sensitive information. Ensure you're running version 7.1.2-15 or later, or version 6.9.13-40 or later, as these have the necessary fix.

What to do

Update magick.net-q16-anycpu to version 14.10.3.
Update magick.net-q16-hdri-anycpu to version 14.10.3.
Update magick.net-q16-hdri-openmp-arm64 to version 14.10.3.
Update magick.net-q16-hdri-openmp-x64 to version 14.10.3.
Update magick.net-q16-hdri-arm64 to version 14.10.3.
Update magick.net-q16-hdri-x64 to version 14.10.3.
Update magick.net-q16-hdri-x86 to version 14.10.3.
Update magick.net-q16-openmp-arm64 to version 14.10.3.
Update magick.net-q16-openmp-x64 to version 14.10.3.
Update magick.net-q16-openmp-x86 to version 14.10.3.
Update magick.net-q16-arm64 to version 14.10.3.
Update magick.net-q16-x64 to version 14.10.3.
Update magick.net-q16-x86 to version 14.10.3.
Update magick.net-q8-anycpu to version 14.10.3.
Update magick.net-q8-openmp-arm64 to version 14.10.3.
Update magick.net-q8-openmp-x64 to version 14.10.3.
Update magick.net-q8-arm64 to version 14.10.3.
Update magick.net-q8-x64 to version 14.10.3.
Update magick.net-q8-x86 to version 14.10.3.

Affected software

Vendor	Product	Affected versions	Fix available
–	magick.net-q16-anycpu	<= 14.10.3	14.10.3
–	magick.net-q16-hdri-anycpu	<= 14.10.3	14.10.3
–	magick.net-q16-hdri-openmp-arm64	<= 14.10.3	14.10.3
–	magick.net-q16-hdri-openmp-x64	<= 14.10.3	14.10.3
–	magick.net-q16-hdri-arm64	<= 14.10.3	14.10.3
–	magick.net-q16-hdri-x64	<= 14.10.3	14.10.3
–	magick.net-q16-hdri-x86	<= 14.10.3	14.10.3
–	magick.net-q16-openmp-arm64	<= 14.10.3	14.10.3
–	magick.net-q16-openmp-x64	<= 14.10.3	14.10.3
–	magick.net-q16-openmp-x86	<= 14.10.3	14.10.3
–	magick.net-q16-arm64	<= 14.10.3	14.10.3
–	magick.net-q16-x64	<= 14.10.3	14.10.3
–	magick.net-q16-x86	<= 14.10.3	14.10.3
–	magick.net-q8-anycpu	<= 14.10.3	14.10.3
–	magick.net-q8-openmp-arm64	<= 14.10.3	14.10.3
–	magick.net-q8-openmp-x64	<= 14.10.3	14.10.3
–	magick.net-q8-arm64	<= 14.10.3	14.10.3
–	magick.net-q8-x64	<= 14.10.3	14.10.3
–	magick.net-q8-x86	<= 14.10.3	14.10.3
imagemagick	imagemagick	<= 6.9.13-40	–
imagemagick	imagemagick	> 7.0.0-0 , <= 7.1.2-15	–

Original title

ImageMagick has heap buffer over-read in MAP image decoder

Original description

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, a heap buffer over-read vulnerability exists in the MAP image decoder when processing crafted MAP files, potentially leading to crashes or unintended memory disclosure during image decoding. Versions 7.1.2-15 and 6.9.13-40 contain a patch.

nvd CVSS3.1 9.1

Vulnerability type

CWE-125 Out-of-bounds Read

Published: 24 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026