ImageMagick crashes or writes data outside allocated space when handling large UHDR images

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

8.2

ImageMagick crashes or writes data outside allocated space when handling large UHDR images

CVE-2026-25794 GHSA-vhqj-f5cj-9x8h

Summary

A bug in ImageMagick's handling of large UHDR images can cause the program to crash or write data outside the allocated space. This can potentially lead to data corruption or security issues. Update to the latest version of ImageMagick to fix this issue.

What to do

Update magick.net-q16-anycpu to version 14.10.3.
Update magick.net-q16-hdri-anycpu to version 14.10.3.
Update magick.net-q16-hdri-openmp-arm64 to version 14.10.3.
Update magick.net-q16-hdri-openmp-x64 to version 14.10.3.
Update magick.net-q16-hdri-arm64 to version 14.10.3.
Update magick.net-q16-hdri-x64 to version 14.10.3.
Update magick.net-q16-hdri-x86 to version 14.10.3.
Update magick.net-q16-openmp-arm64 to version 14.10.3.
Update magick.net-q16-openmp-x64 to version 14.10.3.
Update magick.net-q16-openmp-x86 to version 14.10.3.
Update magick.net-q16-arm64 to version 14.10.3.
Update magick.net-q16-x64 to version 14.10.3.
Update magick.net-q16-x86 to version 14.10.3.
Update magick.net-q8-anycpu to version 14.10.3.
Update magick.net-q8-openmp-arm64 to version 14.10.3.
Update magick.net-q8-openmp-x64 to version 14.10.3.
Update magick.net-q8-arm64 to version 14.10.3.
Update magick.net-q8-x64 to version 114.10.3.
Update magick.net-q8-x86 to version 14.10.3.

Affected software

Vendor	Product	Affected versions	Fix available
–	magick.net-q16-anycpu	<= 14.10.3	14.10.3
–	magick.net-q16-hdri-anycpu	<= 14.10.3	14.10.3
–	magick.net-q16-hdri-openmp-arm64	<= 14.10.3	14.10.3
–	magick.net-q16-hdri-openmp-x64	<= 14.10.3	14.10.3
–	magick.net-q16-hdri-arm64	<= 14.10.3	14.10.3
–	magick.net-q16-hdri-x64	<= 14.10.3	14.10.3
–	magick.net-q16-hdri-x86	<= 14.10.3	14.10.3
–	magick.net-q16-openmp-arm64	<= 14.10.3	14.10.3
–	magick.net-q16-openmp-x64	<= 14.10.3	14.10.3
–	magick.net-q16-openmp-x86	<= 14.10.3	14.10.3
–	magick.net-q16-arm64	<= 14.10.3	14.10.3
–	magick.net-q16-x64	<= 14.10.3	14.10.3
–	magick.net-q16-x86	<= 14.10.3	14.10.3
–	magick.net-q8-anycpu	<= 14.10.3	14.10.3
–	magick.net-q8-openmp-arm64	<= 14.10.3	14.10.3
–	magick.net-q8-openmp-x64	<= 14.10.3	14.10.3
–	magick.net-q8-arm64	<= 14.10.3	14.10.3
–	magick.net-q8-x64	<= 14.10.3	114.10.3
–	magick.net-q8-x86	<= 14.10.3	14.10.3
imagemagick	imagemagick	<= 7.1.2-15	–

Original title

ImageMagick has heap-buffer-overflow via signed integer overflow in WriteUHDRImage when writing UHDR images with large dimensions

Original description

`WriteUHDRImage` in `coders/uhdr.c` uses `int` arithmetic to compute the pixel buffer size. When image dimensions are large, the multiplication overflows 32-bit `int`, causing an undersized heap allocation followed by an out-of-bounds write. This can crash the process or potentially lead to an out of bounds heap write.
```
==1575126==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7fc382ef3820 at pc 0x5560d31f229f bp 0x7ffe865f9530 sp 0x7ffe865f9520
WRITE of size 8 at 0x7fc382ef3820 thread T0
#0 0x5560d31f229e in WriteUHDRImage coders/uhdr.c:807
```

nvd CVSS3.1 8.2

Vulnerability type

CWE-122 Heap-based Buffer Overflow

CWE-190 Integer Overflow

Published: 24 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026