ImageMagick Can Leak Sensitive Data or Crash

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

6.5

ImageMagick Can Leak Sensitive Data or Crash

CVE-2026-25898 CVE-2026-25898 GHSA-vpxv-r9pg-7gpr

Summary

ImageMagick, a software used for image editing, has a flaw that can cause sensitive data to be leaked or the program to crash if it is given a specially crafted image. This affects older versions of ImageMagick and has been fixed in more recent versions. If you use ImageMagick, update to the latest version to ensure you have the fix.

What to do

Update magick.net-q16-anycpu to version 14.10.3.
Update magick.net-q16-hdri-anycpu to version 14.10.3.
Update magick.net-q16-hdri-openmp-arm64 to version 14.10.3.
Update magick.net-q16-hdri-openmp-x64 to version 14.10.3.
Update magick.net-q16-hdri-arm64 to version 14.10.3.
Update magick.net-q16-hdri-x64 to version 14.10.3.
Update magick.net-q16-openmp-arm64 to version 14.10.3.
Update magick.net-q16-openmp-x64 to version 14.10.3.
Update magick.net-q16-openmp-x86 to version 14.10.3.
Update magick.net-q16-arm64 to version 14.10.3.
Update magick.net-q16-x64 to version 14.10.3.
Update magick.net-q16-x86 to version 14.10.3.
Update magick.net-q8-anycpu to version 14.10.3.
Update magick.net-q8-openmp-arm64 to version 14.10.3.
Update magick.net-q8-openmp-x64 to version 14.10.3.
Update magick.net-q8-arm64 to version 14.10.3.
Update magick.net-q8-x86 to version 14.10.3.

Affected software

Vendor	Product	Affected versions	Fix available
–	magick.net-q16-anycpu	<= 14.10.3	14.10.3
–	magick.net-q16-hdri-anycpu	<= 14.10.3	14.10.3
–	magick.net-q16-hdri-openmp-arm64	<= 14.10.3	14.10.3
–	magick.net-q16-hdri-openmp-x64	<= 14.10.3	14.10.3
–	magick.net-q16-hdri-arm64	<= 14.10.3	14.10.3
–	magick.net-q16-hdri-x64	<= 14.10.3	14.10.3
–	magick.net-q16-openmp-arm64	<= 14.10.3	14.10.3
–	magick.net-q16-openmp-x64	<= 14.10.3	14.10.3
–	magick.net-q16-openmp-x86	<= 14.10.3	14.10.3
–	magick.net-q16-arm64	<= 14.10.3	14.10.3
–	magick.net-q16-x64	<= 14.10.3	14.10.3
–	magick.net-q16-x86	<= 14.10.3	14.10.3
–	magick.net-q8-anycpu	<= 14.10.3	14.10.3
–	magick.net-q8-openmp-arm64	<= 14.10.3	14.10.3
–	magick.net-q8-openmp-x64	<= 14.10.3	14.10.3
–	magick.net-q8-arm64	<= 14.10.3	14.10.3
–	magick.net-q8-x86	<= 14.10.3	14.10.3
imagemagick	imagemagick	<= 6.9.13-40	–
imagemagick	imagemagick	> 7.0.0-0 , <= 7.1.2-15	–

Original title

Imagemagick Has Global Buffer Overflow (OOB Read) via Negative Pixel Index in UIL and XPM Writer

Original description

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, the UIL and XPM image encoder do not validate the pixel index value returned by `GetPixelIndex()` before using it as an array subscript. In HDRI builds, `Quantum` is a floating-point type, so pixel index values can be negative. An attacker can craft an image with negative pixel index values to trigger a global buffer overflow read during conversion, leading to information disclosure or a process crash. Versions 7.1.2-15 and 6.9.13-40 contain a patch.

nvd CVSS3.1 9.1

Vulnerability type

CWE-125 Out-of-bounds Read

Published: 24 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026