Vulnerability Database>CVE-2026-25898

CVE-2026-25898

Publish date: March 22, 2026

Severity

High

CVSS score

9.1

Package

imagemagick

Affected versions

>= 8:6.9.11.60+dfsg-1.6+deb12u3, < 8:7.1.1.43+dfsg1-1+deb13u4+e4

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, the UIL and XPM image encoders do not validate the pixel index value returned by `GetPixelIndex()` before using it as an array subscript. In HDRI builds, `Quantum` is a floating-point type, which allows pixel index values to be negative. An attacker could craft an image with negative pixel index values to trigger a global buffer overflow read during conversion, potentially leading to information disclosure or a process crash. Versions 7.1.2-15 and 6.9.13-40 include a patch that addresses this issue.

‍

Learn about Echo's vulnerability management

Learn more

NVD Record:

https://nvd.nist.gov/vuln/detail/CVE-2026-25898

References:

https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-vpxv-r9pg-7gpr

CVE-2026-25898

NVD Record:

References:

Related CVEs: