Memory allocation with excessive without limits in the internal SVG decoder

Vulnerability

Overview

CVE-2026-25985 is a denial-of-service vulnerability in ImageMagick, a widely used open-source image processing suite. The issue exists in versions prior to 7.1.2-15 and 6.9.13-40. A specially crafted SVG file containing a malicious element triggers an attempt to allocate approximately 674 GB of memory, causing an out-of-memory abort and effectively crashing the application [2]. The root cause is insufficient bounds checking in the internal SVG decoder, where memory allocation requests are not properly validated against configurable limits [4].

Exploitation

An attacker can exploit this vulnerability by providing a malicious SVG file to an application or service that uses ImageMagick to process user-supplied images. No authentication is required; the attack can be delivered via any vector that allows file upload or image processing, such as web applications, email attachments, or file conversion services. The crafted SVG element causes the decoder to compute an excessive memory allocation size, bypassing the previous check that used MAGICK_SSIZE_MAX instead of the configurable GetMaxMemoryRequest() limit [4].

Impact

Successful exploitation results in a denial of service (DoS) due to memory exhaustion. The application or system may become unresponsive or crash, potentially affecting availability for legitimate users. There is no indication of code execution or data leakage; the impact is limited to availability [2].

Mitigation

The vulnerability is patched in ImageMagick versions 7.1.2-15 and 6.9.13-40 [2]. Users should update to these versions or later. As a general security practice, administrators can also configure ImageMagick's policy file to limit memory usage and disable SVG processing if not required [1]. The fix replaces the hardcoded MAGICK_SSIZE_MAX comparison with a call to GetMaxMemoryRequest(), which respects the user-defined memory limits [4].