Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2026-25985

Опубликовано: 24 фев. 2026
Источник: redhat
CVSS3: 7.5
EPSS Низкий

Описание

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, a crafted SVG file containing an malicious element causes ImageMagick to attempt to allocate ~674 GB of memory, leading to an out-of-memory abort. Versions 7.1.2-15 and 6.9.13-40 contain a patch.

A memory exhaustion vulnerability has been identified in ImageMagick when processing specially crafted SVG image files. In vulnerable versions, a maliciously crafted SVG element may trigger an excessively large internal memory allocation (on the order of hundreds of gigabytes), causing the ImageMagick process to consume all available memory and abort. An application that reads, identifies, or converts such an SVG image may be affected when the file is passed to ImageMagick’s API or command-line tools.

Отчет

This issue is classified as High severity by Red Hat Product Security. A remote attacker can craft an SVG image that, when processed by ImageMagick, induces extremely large memory allocation requests, leading to process failure or termination. The attack complexity is low and does not require any privileges or user interaction. While confidentiality and integrity are not directly impacted, the availability of services that parse or manipulate untrusted SVG images could be significantly disrupted over network, justifying a High severity rating.

It is important to note that ImageMagick has been removed from Red Hat Enterprise Linux 8 and later releases. Therefore, current supported RHEL 8 and newer systems are not affected by this issue unless ImageMagick is installed from third-party or custom repositories. For additional information, refer to https://access.redhat.com/solutions/4437561.

Меры по смягчению последствий

To mitigate this vulnerability, avoid processing untrusted or unverified SVG image files with ImageMagick. When ImageMagick must process SVG files from untrusted sources, consider running the application in a sandboxed environment to limit potential resource exhaustion impacts.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat Enterprise Linux 6ImageMagickOut of support scope
Red Hat Enterprise Linux 7ImageMagickAffected

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Important
Дефект:
CWE-770
https://bugzilla.redhat.com/show_bug.cgi?id=2442127ImageMagick: Memory allocation with excessive without limits in the internal SVG decoder

EPSS

Процентиль: 4%
0.00017
Низкий

7.5 High

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2026-25985

CVSS3: 7.5
ubuntu
около 1 месяца назад

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, a crafted SVG file containing an malicious element causes ImageMagick to attempt to allocate ~674 GB of memory, leading to an out-of-memory abort. Versions 7.1.2-15 and 6.9.13-40 contain a patch.

nvd логотип

CVE-2026-25985

CVSS3: 7.5
nvd
около 1 месяца назад

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, a crafted SVG file containing an malicious element causes ImageMagick to attempt to allocate ~674 GB of memory, leading to an out-of-memory abort. Versions 7.1.2-15 and 6.9.13-40 contain a patch.

debian логотип

CVE-2026-25985

CVSS3: 7.5
debian
около 1 месяца назад

ImageMagick is free and open-source software used for editing and mani ...

github логотип

GHSA-v7g2-m8c5-mf84

CVSS3: 7.5
github
около 1 месяца назад

ImageMagick: Memory allocation with excessive without limits in the internal SVG decoder

suse-cvrf логотип

SUSE-SU-2026:0852-1

suse-cvrf
19 дней назад

Security update for ImageMagick

EPSS

Процентиль: 4%
0.00017
Низкий

7.5 High

CVSS3