Description
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, a crafted SVG file containing an malicious element causes ImageMagick to attempt to allocate ~674 GB of memory, leading to an out-of-memory abort. Versions 7.1.2-15 and 6.9.13-40 contain a patch.
Published: 2026-02-24
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Out-of-Resource Denial of Service due to excessive memory allocation
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is caused by missing limits in the internal SVG decoder of ImageMagick, which allows an attacker to craft an SVG file that forces the program to allocate approximately 674 GB of memory. This allocation attempt results in an out‑of‑memory abort, causing the process to terminate and disrupting any service that relies on ImageMagick. The primary impact is a denial of service that can affect the availability of applications or systems that process image files. The weakness is reflected in CWE-770 and CWE-789.

Affected Systems

All versions of ImageMagick prior to 7.1.2-15 and 6.9.13-40 are vulnerable. The affected product is ImageMagick released by the ImageMagick project.

Risk and Exploitability

The CVSS score is 7.5, indicating high severity. The EPSS score is less than 1%, suggesting a low probability of exploitation at present, and the weakness is not listed in the CISA KEV catalog. Exploitation requires feeding a malicious SVG file to any ImageMagick instance that processes the file, such as web servers, document conversion services, or local utilities. The attack can be performed remotely if the target accepts arbitrary images from untrusted sources, or locally if an attacker can influence the input file list. The available patch is included in versions 7.1.2-15 and 6.9.13-40. Until patched, the risk is that a successfully exploited ImageMagick process will abort, potentially causing service downtime or cascading failures.

Generated by OpenCVE AI on April 16, 2026 at 16:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update ImageMagick to version 7.1.2-15 or newer, or 6.9.13-40 or newer to receive the vendor patch address the memory allocation issue
  • Configure the environment to reject or sanitize SVG files from untrusted sources before they reach ImageMagick processing logic
  • Set system-level resource limits, such as ulimits, cgroups, or Docker memory caps, on the process that runs ImageMagick to prevent excessive memory usage from causing system instability

Generated by OpenCVE AI on April 16, 2026 at 16:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6158-1 imagemagick security update
Debian DSA Debian DSA DSA-6210-1 imagemagick security update
Github GHSA Github GHSA GHSA-v7g2-m8c5-mf84 ImageMagick: Memory allocation with excessive without limits in the internal SVG decoder
History

Sat, 28 Feb 2026 03:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 25 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:imagemagick:imagemagick:*:*:*:*:*:*:*:*

Tue, 24 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Important

Tue, 24 Feb 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Imagemagick
Imagemagick imagemagick
Vendors & Products Imagemagick
Imagemagick imagemagick

Tue, 24 Feb 2026 02:00:00 +0000

Type Values Removed Values Added
Description ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, a crafted SVG file containing an malicious element causes ImageMagick to attempt to allocate ~674 GB of memory, leading to an out-of-memory abort. Versions 7.1.2-15 and 6.9.13-40 contain a patch.
Title Memory allocation with excessive without limits in the internal SVG decoder
Weaknesses CWE-770
CWE-789
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Imagemagick Imagemagick
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-28T02:05:55.678Z

Reserved: 2026-02-09T17:41:55.857Z

Link: CVE-2026-25985

cve-icon Vulnrichment

Updated: 2026-02-28T02:05:49.993Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-24T02:16:02.620

Modified: 2026-02-25T12:10:42.060

Link: CVE-2026-25985

cve-icon Redhat

Severity : Important

Publid Date: 2026-02-24T01:43:07Z

Links: CVE-2026-25985 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T16:45:25Z

Weaknesses