Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.
5.3

ImageMagick's YUV decoder can crash or leak memory

CVE-2026-25986 GHSA-mqfc-82jx-3mr2
Summary

A security issue affects ImageMagick's ability to safely decode YUV images. This could allow an attacker to make the program crash or leak sensitive information. Businesses should update to the latest version of ImageMagick to ensure the fix is applied.

What to do
  • Update magick.net-q16-anycpu to version 14.10.3.
  • Update magick.net-q16-hdri-anycpu to version 14.10.3.
  • Update magick.net-q16-hdri-openmp-arm64 to version 14.10.3.
  • Update magick.net-q16-hdri-arm64 to version 14.10.3.
  • Update magick.net-q16-hdri-x64 to version 14.10.3.
  • Update magick.net-q16-hdri-x86 to version 14.10.3.
  • Update magick.net-q16-openmp-arm64 to version 14.10.3.
  • Update magick.net-q16-openmp-x64 to version 14.10.3.
  • Update magick.net-q16-openmp-x86 to version 14.10.3.
  • Update magick.net-q16-arm64 to version 14.10.3.
  • Update magick.net-q16-x64 to version 14.10.3.
  • Update magick.net-q16-x86 to version 14.10.3.
  • Update magick.net-q16-hdri-openmp-x64 to version 14.10.3.
  • Update magick.net-q8-anycpu to version 14.10.3.
  • Update magick.net-q8-openmp-arm64 to version 14.10.3.
  • Update magick.net-q8-openmp-x64 to version 14.10.3.
  • Update magick.net-q8-arm64 to version 14.10.3.
  • Update magick.net-q8-x64 to version 14.10.3.
  • Update magick.net-q8-x86 to version 14.10.3.
Affected software
VendorProductAffected versionsFix available
imagemagick imagemagick <= 6.9.13-40
imagemagick imagemagick > 7.0.0-0 , <= 7.1.2-15
magick.net-q16-anycpu <= 14.10.3 14.10.3
magick.net-q16-hdri-anycpu <= 14.10.3 14.10.3
magick.net-q16-hdri-openmp-arm64 <= 14.10.3 14.10.3
magick.net-q16-hdri-arm64 <= 14.10.3 14.10.3
magick.net-q16-hdri-x64 <= 14.10.3 14.10.3
magick.net-q16-hdri-x86 <= 14.10.3 14.10.3
magick.net-q16-openmp-arm64 <= 14.10.3 14.10.3
magick.net-q16-openmp-x64 <= 14.10.3 14.10.3
magick.net-q16-openmp-x86 <= 14.10.3 14.10.3
magick.net-q16-arm64 <= 14.10.3 14.10.3
magick.net-q16-x64 <= 14.10.3 14.10.3
magick.net-q16-x86 <= 14.10.3 14.10.3
magick.net-q16-hdri-openmp-x64 <= 14.10.3 14.10.3
magick.net-q8-anycpu <= 14.10.3 14.10.3
magick.net-q8-openmp-arm64 <= 14.10.3 14.10.3
magick.net-q8-openmp-x64 <= 14.10.3 14.10.3
magick.net-q8-arm64 <= 14.10.3 14.10.3
magick.net-q8-x64 <= 14.10.3 14.10.3
magick.net-q8-x86 <= 14.10.3 14.10.3
Original title
ImageMagick has heap buffer overflow in YUV 4:2:2 decoder
Original description
A heap buffer overflow write vulnerability exists in ReadYUVImage() (coders/yuv.c) when processing malicious YUV 4:2:2 (NoInterlace) images. The pixel-pair loop writes one pixel beyond the allocated row buffer.

```
=================================================================
==204642==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x5170000002e0 at pc 0x562d21a7e8de bp 0x7fffa9ae1270 sp 0x7fffa9ae1260
WRITE of size 8 at 0x5170000002e0 thread T0
```
nvd CVSS3.1 9.8
Vulnerability type
CWE-787 Out-of-bounds Write
Published: 12 Mar 2026 · Updated: 13 Mar 2026 · First seen: 6 Mar 2026