Imagemagick Has Global Buffer Overflow (OOB Read) via Negative Pixel Index in UIL and XPM Writer
Description
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, the UIL and XPM image encoder do not validate the pixel index value returned by GetPixelIndex() before using it as an array subscript. In HDRI builds, Quantum is a floating-point type, so pixel index values can be negative. An attacker can craft an image with negative pixel index values to trigger a global buffer overflow read during conversion, leading to information disclosure or a process crash. Versions 7.1.2-15 and 6.9.13-40 contain a patch.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
ImageMagick UIL and XPM encoders fail to validate pixel indices, allowing crafted images with negative indices to cause out-of-bounds read, leading to information disclosure or denial of service.
Vulnerability
Overview
The vulnerability resides in the UIL and XPM image encoders in ImageMagick. These encoders do not validate the pixel index value returned by GetPixelIndex() before using it as an array subscript. In HDRI (High Dynamic Range Imaging) builds, the Quantum type is a floating-point number, so pixel index values can be negative. [1][2][4]
Exploitation
An attacker can craft a malicious image file that contains negative pixel index values. When ImageMagick processes this image for conversion (e.g., converting to UIL or XPM format), the encoder uses the negative index as an array subscript, resulting in a global buffer over-read (out-of-bounds read). [2][4] The issue affects both the UIL encoder (at coders/uil.c:355) and the XPM encoder (at coders/xpm.c:1135). [4]
Impact
The out-of-bounds read can lead to information disclosure by reading adjacent memory, potentially exposing sensitive data. It can also cause a process crash, leading to denial of service. No special privileges are needed; the attacker only needs to provide a crafted image file to a user or service that processes images with ImageMagick. [2][4]
Mitigation
The vulnerability is fixed in ImageMagick versions 7.1.2-15 and 6.9.13-40. Users should upgrade to these patched versions. The issue is also tracked as GHSA-vpxv-r9pg-7gpr and was included in the Magick.NET 14.10.3 release. [3][4]
- GitHub - ImageMagick/ImageMagick: ImageMagick is a free, open-source software suite for creating, editing, converting, and displaying images. It supports 200+ formats and offers powerful command-line tools and APIs for automation, scripting, and integration across platforms.
- NVD - CVE-2026-25898
- Release Magick.NET 14.10.3 · dlemstra/Magick.NET
- Global Buffer Overflow (OOB Read) via Negative Pixel Index in UIL and XPM Writer
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
Magick.NET-Q16-AnyCPUNuGet | < 14.10.3 | 14.10.3 |
Magick.NET-Q16-HDRI-AnyCPUNuGet | < 14.10.3 | 14.10.3 |
Magick.NET-Q16-HDRI-OpenMP-arm64NuGet | < 14.10.3 | 14.10.3 |
Magick.NET-Q16-HDRI-OpenMP-x64NuGet | < 14.10.3 | 14.10.3 |
Magick.NET-Q16-HDRI-arm64NuGet | < 14.10.3 | 14.10.3 |
Magick.NET-Q16-HDRI-x64NuGet | < 14.10.3 | 14.10.3 |
Magick.NET-Q16-OpenMP-arm64NuGet | < 14.10.3 | 14.10.3 |
Magick.NET-Q16-OpenMP-x64NuGet | < 14.10.3 | 14.10.3 |
Magick.NET-Q16-OpenMP-x86NuGet | < 14.10.3 | 14.10.3 |
Magick.NET-Q16-arm64NuGet | < 14.10.3 | 14.10.3 |
Magick.NET-Q16-x64NuGet | < 14.10.3 | 14.10.3 |
Magick.NET-Q16-x86NuGet | < 14.10.3 | 14.10.3 |
Magick.NET-Q8-AnyCPUNuGet | < 14.10.3 | 14.10.3 |
Magick.NET-Q8-OpenMP-arm64NuGet | < 14.10.3 | 14.10.3 |
Magick.NET-Q8-OpenMP-x64NuGet | < 14.10.3 | 14.10.3 |
Magick.NET-Q8-arm64NuGet | < 14.10.3 | 14.10.3 |
Magick.NET-Q8-x86NuGet | < 14.10.3 | 14.10.3 |
Affected products
2<=6.9.13-40+ 1 more
- (no CPE)range: <=6.9.13-40
- (no CPE)range: >= 7.0.0, < 7.1.2-15
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-vpxv-r9pg-7gprghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-25898ghsaADVISORY
- github.com/ImageMagick/ImageMagick/commit/c9c87dbaba56bf82aebd3392e11f0ffd93709b12ghsaWEB
- github.com/ImageMagick/ImageMagick/security/advisories/GHSA-vpxv-r9pg-7gprghsax_refsource_CONFIRMWEB
- github.com/dlemstra/Magick.NET/releases/tag/14.10.3ghsaWEB
News mentions
0No linked articles in our index yet.