Description
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, a logic error in YUV sampling factor validation allows an invalid sampling factor to bypass checks and trigger a division-by-zero during image loading, resulting in a reliable denial-of-service. Versions 7.1.2-15 and 6.9.13-40 contain a patch.
Published: 2026-02-24
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Apply Patch
AI Analysis

Impact

ImageMagick, a widely used open‑source image manipulation library, contains a logic error in YUV sampling factor validation. An attacker can provide an image with an invalid sampling factor that bypasses internal checks, causing a division‑by‑zero during image loading. This error leads to a crash that reliably triggers a denial‑of‑service condition for the affected process. The weakness corresponds to CWE‑369.

Affected Systems

Vendors: ImageMagick; Product: ImageMagick. Affected versions are all releases prior to 7.1.2‑15 and 6.9.13‑40.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity, and the EPSS score of less than 1% shows a very low probability of exploitation in the wild. The vulnerability is not currently listed in the CISA KEV catalog. Exploitation requires an attacker to supply a crafted image to a vulnerable instance of ImageMagick, such as when an application automatically processes user‑supplied images. Because the denial‑of‑service outcome is deterministic, an attacker could deliberately bring the target process or host down if they have control over image input. The attack vector is therefore a remote or local image upload, depending on how the software is exposed.

Generated by OpenCVE AI on April 17, 2026 at 16:01 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade ImageMagick to version 7.1.2‑15 or later, or 6.9.13‑40 or later.
  • If a patch is not immediately available, validate or reject images with YUV sampling factors that would trigger the division‑by‑zero before invoking the library.
  • Configure any applications that use ImageMagick to process images in a restricted, sandboxed context to limit the impact of a potential denial‑of‑service.

Generated by OpenCVE AI on April 17, 2026 at 16:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4497-1 imagemagick security update
Debian DSA Debian DSA DSA-6158-1 imagemagick security update
Debian DSA Debian DSA DSA-6159-1 imagemagick security update
Github GHSA Github GHSA GHSA-543g-8grm-9cw6 ImageMagick has Division-by-Zero in YUV sampling factor validation, which leads to crash
History

Thu, 26 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 24 Feb 2026 18:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:imagemagick:imagemagick:*:*:*:*:*:*:*:*

Tue, 24 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Tue, 24 Feb 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Imagemagick
Imagemagick imagemagick
Vendors & Products Imagemagick
Imagemagick imagemagick

Tue, 24 Feb 2026 01:15:00 +0000

Type Values Removed Values Added
Description ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, a logic error in YUV sampling factor validation allows an invalid sampling factor to bypass checks and trigger a division-by-zero during image loading, resulting in a reliable denial-of-service. Versions 7.1.2-15 and 6.9.13-40 contain a patch.
Title ImageMagick has Division-by-Zero in YUV sampling factor validation, which leads to crash
Weaknesses CWE-369
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

Subscriptions

Imagemagick Imagemagick
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-26T15:22:25.612Z

Reserved: 2026-02-05T19:58:01.640Z

Link: CVE-2026-25799

cve-icon Vulnrichment

Updated: 2026-02-26T15:22:18.908Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-24T01:16:14.763

Modified: 2026-02-24T18:44:52.853

Link: CVE-2026-25799

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-02-24T01:05:39Z

Links: CVE-2026-25799 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T16:15:22Z

Weaknesses