VYPR
← All advisories
High severityNVD Advisory· Published Feb 24, 2026· Updated Feb 28, 2026

ImageMagick has integer overflow or wraparound and incorrect conversion between numeric types in the internal SVG decoder

CVE-2026-25989

Description

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, a crafted SVG file can cause a denial of service. An off-by-one boundary check (> instead of >=) that allows bypass the guard and reach an undefined (size_t) cast. Versions 7.1.2-15 and 6.9.13-40 contain a patch.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

ImageMagick SVG parser has an off-by-one error leading to denial of service; patched in versions 7.1.2-15 and 6.9.13-40.

Vulnerability

CVE-2026-25989 is an off-by-one boundary check in ImageMagick's SVG parsing code. The issue arises from using > instead of >= in a size comparison, allowing a crafted SVG file to bypass the intended guard and reach an undefined (size_t) cast [2]. This flaw affects versions prior to 7.1.2-15 and 6.9.13-40 [1].

Exploitation

An attacker can exploit this vulnerability by providing a specially crafted SVG file to a vulnerable ImageMagick instance. No authentication or special network position is required; the attack can be triggered simply by processing the malicious file. This leads to a denial-of-service condition because the undefined cast causes undefined behavior, likely resulting in a crash [2].

Impact

The primary impact is denial of service: a remote unauthenticated attacker can cause ImageMagick to crash by submitting a malicious SVG file. There is no evidence of code execution or memory disclosure from the available information [2].

Mitigation

ImageMagick has patched the vulnerability in versions 7.1.2-15 and 6.9.13-40. Users should upgrade to these versions or later. The fix is available in the commit referenced [4]. Users are also encouraged to follow ImageMagick's security policy guidance [1].

References
  1. GitHub - ImageMagick/ImageMagick: ImageMagick is a free, open-source software suite for creating, editing, converting, and displaying images. It supports 200+ formats and offers powerful command-line tools and APIs for automation, scripting, and integration across platforms.
  2. NVD - CVE-2026-25989
  3. https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-7… · ImageMagick/ImageMagick@5a545ab

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
Magick.NET-Q16-AnyCPUNuGet
< 14.10.314.10.3
Magick.NET-Q16-HDRI-AnyCPUNuGet
< 14.10.314.10.3
Magick.NET-Q16-HDRI-OpenMP-arm64NuGet
< 14.10.314.10.3
Magick.NET-Q16-HDRI-OpenMP-x64NuGet
< 14.10.314.10.3
Magick.NET-Q16-HDRI-arm64NuGet
< 14.10.314.10.3
Magick.NET-Q16-HDRI-x64NuGet
< 14.10.314.10.3
Magick.NET-Q16-HDRI-x86NuGet
< 14.10.314.10.3
Magick.NET-Q16-OpenMP-arm64NuGet
< 14.10.314.10.3
Magick.NET-Q16-OpenMP-x64NuGet
< 14.10.314.10.3
Magick.NET-Q16-OpenMP-x86NuGet
< 14.10.314.10.3
Magick.NET-Q16-arm64NuGet
< 14.10.314.10.3
Magick.NET-Q16-x64NuGet
< 14.10.314.10.3
Magick.NET-Q16-x86NuGet
< 14.10.314.10.3
Magick.NET-Q8-AnyCPUNuGet
< 14.10.314.10.3
Magick.NET-Q8-OpenMP-arm64NuGet
< 14.10.314.10.3
Magick.NET-Q8-OpenMP-x64NuGet
< 14.10.314.10.3
Magick.NET-Q8-arm64NuGet
< 14.10.314.10.3
Magick.NET-Q8-x64NuGet
< 14.10.314.10.3
Magick.NET-Q8-x86NuGet
< 14.10.314.10.3

Affected products

2
  • ImageMagick/Imagemagickllm-fuzzy2 versions
    < 7.1.2-15, < 6.9.13-40+ 1 more
    • (no CPE)range: < 7.1.2-15, < 6.9.13-40
    • (no CPE)range: >= 7.0.0, < 7.1.2-15

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

5

News mentions

0

No linked articles in our index yet.