ImageMagick: Out of bounds read in multiple coders read raw pixel data

Vulnerability

Overview

CVE-2026-25576 is a heap buffer over-read vulnerability in ImageMagick, affecting multiple raw image format decoders (e.g., CMYK, YUV, MAP). The root cause is that when processing images with the -extract option specifying dimensions larger than the -size option, the decoder iterates over image->columns (the extract width) instead of the actual allocated buffer width. This leads to out-of-bounds reads from a heap-allocated buffer [1][3].

Exploitation

An attacker can trigger the vulnerability by providing a crafted image file and using ImageMagick command-line options such as -extract 1000x1000 -size 10x10 input.png output.png. No authentication is required; the attack surface is any application or service that processes user-supplied images with ImageMagick. The bug exists in the ReadCMYKImage function` loops for raw formats, where the loop bound was not clamped to the minimum of the extract and size dimensions [3].

Impact

Successful exploitation results in reading heap memory beyond the allocated buffer. This can leak sensitive information (e.g., cryptographic keys, passwords, or other data) present in adjacent heap regions. The CVSS score is not yet assigned, but the vulnerability is classified as a heap buffer over-read with potential information disclosure [1].

Mitigation

Mitigation

The issue is patched in ImageMagick versions 7.1.2-15 and 6.9.13-40. Users should update immediately. No workarounds are documented; however, disabling raw format support or restricting -extract usage via policy may reduce risk. The fix introduces a columns variable that caps the loop iteration to MagickMin(image->columns, canvas_image->columns) [3]. The vulnerability is also tracked in downstream projects such as Magick.NET [4].