VYPR
← All advisories
Moderate severityNVD Advisory· Published Feb 24, 2026· Updated Feb 28, 2026

ImageMagick Has Heap Out-of-Bounds Read in DCM Decoder (ReadDCMImage)

CVE-2026-25982

Description

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, a heap out-of-bounds read vulnerability exists in the coders/dcm.c module. When processing DICOM files with a specific configuration, the decoder loop incorrectly reads bytes per iteration. This causes the function to read past the end of the allocated buffer, potentially leading to a Denial of Service (crash) or Information Disclosure (leaking heap memory into the image). Versions 7.1.2-15 and 6.9.13-40 contain a patch.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A heap out-of-bounds read in ImageMagick DICOM decoder read can crash or leak heap memory; patched in versions 7.1.2-15 and 6.9.13-40.

Vulnerability

Overview

CVE-2026-25982 is a heap out-of-bounds read vulnerability in ImageMagick's DICOM decoder, located in the coders/dcm.c module. The root cause is an incorrect byte-per-iteration calculation in the decoder loop when processing specially crafted DICOM files. This flaw causes the function to read beyond the allocated buffer boundary, leading to undefined behavior [2][4].

Exploitation and

Attack Surface

An attacker can exploit this vulnerability by supplying a malicious DICOM image to an application or service that uses ImageMagick to process images. No authentication is required, and the attack can be performed remotely if the victim processes the crafted file. The vulnerability is triggered during the decoding phase, before any image data is rendered, making it accessible through common image processing pipelines [2][4].

Impact

Successful exploitation can result in a denial of service (application crash) or information disclosure, where heap memory contents may be leaked into the output image. The leaked memory could contain sensitive data from other processes or the operating system, depending on the heap state at the time of the read [2][4].

Mitigation

The vulnerability has been patched in ImageMagick versions 7.1.2-15 and 6.9.13-40. Users should update to these or later versions immediately. No workarounds are documented, but restricting DICOM file processing to trusted sources can reduce risk [2][4].

References
  1. NVD - CVE-2026-25982
  2. Heap Out-of-Bounds Read in DCM Decoder

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
Magick.NET-Q16-AnyCPUNuGet
< 14.10.314.10.3
Magick.NET-Q16-HDRI-AnyCPUNuGet
< 14.10.314.10.3
Magick.NET-Q16-HDRI-OpenMP-arm64NuGet
< 14.10.314.10.3
Magick.NET-Q16-HDRI-arm64NuGet
< 14.10.314.10.3
Magick.NET-Q16-HDRI-x64NuGet
< 14.10.314.10.3
Magick.NET-Q16-HDRI-x86NuGet
< 14.10.314.10.3
Magick.NET-Q16-OpenMP-arm64NuGet
< 14.10.314.10.3
Magick.NET-Q16-OpenMP-x64NuGet
< 14.10.314.10.3
Magick.NET-Q16-OpenMP-x86NuGet
< 14.10.314.10.3
Magick.NET-Q16-arm64NuGet
< 14.10.314.10.3
Magick.NET-Q16-x64NuGet
< 14.10.314.10.3
Magick.NET-Q16-x86NuGet
< 14.10.314.10.3
Magick.NET-Q16-HDRI-OpenMP-x64NuGet
< 14.10.314.10.3
Magick.NET-Q8-AnyCPUNuGet
< 14.10.314.10.3
Magick.NET-Q8-OpenMP-arm64NuGet
< 14.10.314.10.3
Magick.NET-Q8-OpenMP-x64NuGet
< 14.10.314.10.3
Magick.NET-Q8-arm64NuGet
< 14.10.314.10.3
Magick.NET-Q8-x64NuGet
< 14.10.314.10.3
Magick.NET-Q8-x86NuGet
< 14.10.314.10.3

Affected products

2
  • ImageMagick/Imagemagickllm-fuzzy2 versions
    <7.1.2-15, <6.9.13-40+ 1 more
    • (no CPE)range: <7.1.2-15, <6.9.13-40
    • (no CPE)range: >= 7.0.0, < 7.1.2-15

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

4

News mentions

0

No linked articles in our index yet.