rpms/ImageMagick

Fork 0

[security][CRITICAL] ImageMagick 7.1.1.47: 53 CVE require triage #1

New issue

Open

opened 2026-05-25 20:43:22 +03:00 by sbelikov · 0 comments

sbelikov commented

2026-05-25 20:43:22 +03:00

Owner

CVE triage request / Запрос на разбор CVE

Package / Пакет

Package: ImageMagick
Version: 7.1.1.47
EVR: 1:7.1.1.47-1
Category: -
Policy class: -
NiceOS policy class: -
Owner: -
Severity: CRITICAL
Max CVSS: 9.8
CVE count: 53
Included NiceOS statuses: needs_triage
Included match types: cpe-range

LLM recommendation / Рекомендация LLM

RU

Для пакета ImageMagick 7.1.1.47 найдены CVE-кандидаты по данным NVD/CPE: CVE-2025-53014, CVE-2025-53015, CVE-2025-53019, CVE-2025-53101, CVE-2025-55154, CVE-2025-55212, CVE-2025-55298, CVE-2025-57803, CVE-2025-57807, CVE-2025-62171, CVE-2025-66628, CVE-2025-68618, CVE-2025-69204, CVE-2026-22770, CVE-2026-23876, CVE-2026-23952, CVE-2026-24481, CVE-2026-24485, CVE-2026-25794, CVE-2026-25795, CVE-2026-25796, CVE-2026-25798, CVE-2026-25799, CVE-2026-25897, CVE-2026-25898, CVE-2026-25965, CVE-2026-25966, CVE-2026-25967, CVE-2026-25968, CVE-2026-25969, CVE-2026-25970, CVE-2026-25971, CVE-2026-25983, CVE-2026-25985, CVE-2026-25986, CVE-2026-25987, CVE-2026-25988, CVE-2026-25989, CVE-2026-26066, CVE-2026-26283, CVE-2026-26284, CVE-2026-27798, CVE-2026-28494, CVE-2026-28691, CVE-2026-28693, CVE-2026-30883, CVE-2026-30929, CVE-2026-30931, CVE-2026-32636, CVE-2026-33900, CVE-2026-33901, CVE-2026-33905, CVE-2026-33908. Требуется triage security-team.

Проверить применимость CVE к сборке НАЙС.ОС, сопоставить с upstream/vendor advisory, определить статус affected/fixed/not_affected и при необходимости подготовить обновление пакета.

Рекомендуемое действие: needs_triage

Подсказка по целевой версии: -

Проверки: Проверить сборку RPM, обновление пакета, совместимость зависимостей, service/CLI smoke tests и регрессионные сценарии по классу пакета.

Риски: Автоматическое совпадение NVD/CPE не является финальным вердиктом по НАЙС.ОС.

EN

NVD/CPE candidate CVEs were found for ImageMagick 7.1.1.47: CVE-2025-53014, CVE-2025-53015, CVE-2025-53019, CVE-2025-53101, CVE-2025-55154, CVE-2025-55212, CVE-2025-55298, CVE-2025-57803, CVE-2025-57807, CVE-2025-62171, CVE-2025-66628, CVE-2025-68618, CVE-2025-69204, CVE-2026-22770, CVE-2026-23876, CVE-2026-23952, CVE-2026-24481, CVE-2026-24485, CVE-2026-25794, CVE-2026-25795, CVE-2026-25796, CVE-2026-25798, CVE-2026-25799, CVE-2026-25897, CVE-2026-25898, CVE-2026-25965, CVE-2026-25966, CVE-2026-25967, CVE-2026-25968, CVE-2026-25969, CVE-2026-25970, CVE-2026-25971, CVE-2026-25983, CVE-2026-25985, CVE-2026-25986, CVE-2026-25987, CVE-2026-25988, CVE-2026-25989, CVE-2026-26066, CVE-2026-26283, CVE-2026-26284, CVE-2026-27798, CVE-2026-28494, CVE-2026-28691, CVE-2026-28693, CVE-2026-30883, CVE-2026-30929, CVE-2026-30931, CVE-2026-32636, CVE-2026-33900, CVE-2026-33901, CVE-2026-33905, CVE-2026-33908. Security-team triage is required.

Verify CVE applicability to the NiceOS build, compare with upstream/vendor advisories, set affected/fixed/not_affected status, and prepare a package update if required.

Recommended action: needs_triage

Target version hint: -

Tests: Run RPM build, package upgrade, dependency compatibility, service/CLI smoke tests, and package-class-specific regression tests.

Risks: An automatic NVD/CPE match is not the final NiceOS vulnerability verdict.

CVE candidates from NVD/CPE

CVE	Severity	CVSS	Match	Confidence	NiceOS status	Reason
CVE-2025-53014	CRITICAL	9.8	cpe-range	85	needs_triage	package version is inside version range
CVE-2025-53101	CRITICAL	9.8	cpe-range	85	needs_triage	package version is inside version range
CVE-2025-57807	CRITICAL	9.8	cpe-range	85	needs_triage	package version is inside version range
CVE-2026-22770	CRITICAL	9.8	cpe-range	85	needs_triage	package version is inside version range
CVE-2026-23876	CRITICAL	9.8	cpe-range	85	needs_triage	package version is inside version range
CVE-2026-25897	CRITICAL	9.8	cpe-range	85	needs_triage	package version is inside version range
CVE-2026-25968	CRITICAL	9.8	cpe-range	85	needs_triage	package version is inside version range
CVE-2026-25971	CRITICAL	9.8	cpe-range	85	needs_triage	package version is inside version range
CVE-2026-25983	CRITICAL	9.8	cpe-range	85	needs_triage	package version is inside version range
CVE-2026-25986	CRITICAL	9.8	cpe-range	85	needs_triage	package version is inside version range
CVE-2026-25898	CRITICAL	9.1	cpe-range	85	needs_triage	package version is inside version range
CVE-2026-25987	CRITICAL	9.1	cpe-range	85	needs_triage	package version is inside version range
CVE-2026-26284	CRITICAL	9.1	cpe-range	85	needs_triage	package version is inside version range
CVE-2025-55298	HIGH	8.8	cpe-range	85	needs_triage	package version is inside version range
CVE-2025-57803	HIGH	8.8	cpe-range	85	needs_triage	package version is inside version range
CVE-2026-25794	HIGH	8.2	cpe-range	85	needs_triage	package version is inside version range
CVE-2026-28693	HIGH	8.1	cpe-range	85	needs_triage	package version is inside version range
CVE-2025-55154	HIGH	7.8	cpe-range	85	needs_triage	package version is inside version range
CVE-2026-25966	HIGH	7.8	cpe-range	85	needs_triage	package version is inside version range
CVE-2026-30883	HIGH	7.8	cpe-range	85	needs_triage	package version is inside version range
CVE-2026-30929	HIGH	7.8	cpe-range	85	needs_triage	package version is inside version range
CVE-2026-30931	HIGH	7.8	cpe-range	85	needs_triage	package version is inside version range
CVE-2025-53015	HIGH	7.5	cpe-range	85	needs_triage	package version is inside version range
CVE-2025-53019	HIGH	7.5	cpe-range	85	needs_triage	package version is inside version range
CVE-2025-55212	HIGH	7.5	cpe-range	85	needs_triage	package version is inside version range
CVE-2025-62171	HIGH	7.5	cpe-range	85	needs_triage	package version is inside version range
CVE-2025-66628	HIGH	7.5	cpe-range	85	needs_triage	package version is inside version range
CVE-2025-68618	HIGH	7.5	cpe-range	85	needs_triage	package version is inside version range
CVE-2025-69204	HIGH	7.5	cpe-range	85	needs_triage	package version is inside version range
CVE-2026-23952	HIGH	7.5	cpe-range	85	needs_triage	package version is inside version range
CVE-2026-24481	HIGH	7.5	cpe-range	85	needs_triage	package version is inside version range
CVE-2026-24485	HIGH	7.5	cpe-range	85	needs_triage	package version is inside version range
CVE-2026-25795	HIGH	7.5	cpe-range	85	needs_triage	package version is inside version range
CVE-2026-25796	HIGH	7.5	cpe-range	85	needs_triage	package version is inside version range
CVE-2026-25798	HIGH	7.5	cpe-range	85	needs_triage	package version is inside version range
CVE-2026-25799	HIGH	7.5	cpe-range	85	needs_triage	package version is inside version range
CVE-2026-25965	HIGH	7.5	cpe-range	85	needs_triage	package version is inside version range
CVE-2026-25967	HIGH	7.5	cpe-range	85	needs_triage	package version is inside version range
CVE-2026-25969	HIGH	7.5	cpe-range	85	needs_triage	package version is inside version range
CVE-2026-25970	HIGH	7.5	cpe-range	85	needs_triage	package version is inside version range
CVE-2026-25985	HIGH	7.5	cpe-range	85	needs_triage	package version is inside version range
CVE-2026-25988	HIGH	7.5	cpe-range	85	needs_triage	package version is inside version range
CVE-2026-25989	HIGH	7.5	cpe-range	85	needs_triage	package version is inside version range
CVE-2026-26066	HIGH	7.5	cpe-range	85	needs_triage	package version is inside version range
CVE-2026-26283	HIGH	7.5	cpe-range	85	needs_triage	package version is inside version range
CVE-2026-28691	HIGH	7.5	cpe-range	85	needs_triage	package version is inside version range
CVE-2026-32636	HIGH	7.5	cpe-range	85	needs_triage	package version is inside version range
CVE-2026-33900	HIGH	7.5	cpe-range	85	needs_triage	package version is inside version range
CVE-2026-33901	HIGH	7.5	cpe-range	85	needs_triage	package version is inside version range
CVE-2026-33908	HIGH	7.5	cpe-range	85	needs_triage	package version is inside version range
CVE-2026-27798	HIGH	7.1	cpe-range	85	needs_triage	package version is inside version range
CVE-2026-28494	HIGH	7.1	cpe-range	85	needs_triage	package version is inside version range
CVE-2026-33905	HIGH	7.1	cpe-range	85	needs_triage	package version is inside version range

Descriptions

CVE-2025-53014

ImageMagick is free and open-source software used for editing and manipulating digital images. Versions prior to 7.1.2-0 and 6.9.13-26 have a heap buffer overflow in the InterpretImageFilename function. The issue stems from an off-by-one error that causes out-of-bounds memory access when processing format strings containing consecutive percent signs (%%). Versions 7.1.2-0 and 6.9.13-26 fix the issue.

CVE-2025-53101

ImageMagick is free and open-source software used for editing and manipulating digital images. In versions prior to 7.1.2-0 and 6.9.13-26, in ImageMagick's magick mogrify command, specifying multiple consecutive %d format specifiers in a filename template causes internal pointer arithmetic to generate an address below the beginning of the stack buffer, resulting in a stack overflow through vsnprintf(). Versions 7.1.2-0 and 6.9.13-26 fix the issue.

CVE-2025-57807

ImageMagick is free and open-source software used for editing and manipulating digital images. ImageMagick versions lower than 14.8.2 include insecure functions: SeekBlob(), which permits advancing the stream offset beyond the current end without increasing capacity, and WriteBlob(), which then expands by quantum + length (amortized) instead of offset + length, and copies to data + offset. When offset ≫ extent, the copy targets memory beyond the allocation, producing a deterministic heap write on 64-bit builds. No 2⁶⁴ arithmetic wrap, external delegates, or policy settings are required. This is fixed in version 14.8.2.

CVE-2026-22770

ImageMagick is free and open-source software used for editing and manipulating digital images. The BilateralBlurImage method will allocate a set of double buffers inside AcquireBilateralTLS. But, in versions prior to 7.1.2-13, the last element in the set is not properly initialized. This will result in a release of an invalid pointer inside DestroyBilateralTLS when the memory allocation fails. Version 7.1.2-13 contains a patch for the issue.

CVE-2026-23876

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-13 and 6.9.13-38, a heap buffer overflow vulnerability in the XBM image decoder (ReadXBMImage) allows an attacker to write controlled data past the allocated heap buffer when processing a maliciously crafted image file. Any operation that reads or identifies an image can trigger the overflow, making it exploitable via common image upload and processing pipelines. Versions 7.1.2-13 and 6.9.13-38 fix the issue.

CVE-2026-25897

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, an Integer Overflow vulnerability exists in the sun decoder. On 32-bit systems/builds, a carefully crafted image can lead to an out of bounds heap write. Versions 7.1.2-15 and 6.9.13-40 contain a patch.

CVE-2026-25968

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, a stack buffer overflow occurs when processing the an attribute in msl.c. A long value overflows a fixed-size stack buffer, leading to memory corruption. Versions 7.1.2-15 and 6.9.13-40 contain a patch.

CVE-2026-25971

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, Magick fails to check for circular references between two MSLs, leading to a stack overflow. Versions 7.1.2-15 and 6.9.13-40 contain a patch.

CVE-2026-25983

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, a crafted MSL script triggers a heap-use-after-free. The operation element handler replaces and frees the image while the parser continues reading from it, leading to a UAF in ReadBlobString during further parsing. Versions 7.1.2-15 and 6.9.13-40 contain a patch.

CVE-2026-25986

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, a heap buffer overflow write vulnerability exists in ReadYUVImage() (coders/yuv.c) when processing malicious YUV 4:2:2 (NoInterlace) images. The pixel-pair loop writes one pixel beyond the allocated row buffer. Versions 7.1.2-15 and 6.9.13-40 contain a patch.

CVE-2026-25898

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, the UIL and XPM image encoder do not validate the pixel index value returned by GetPixelIndex() before using it as an array subscript. In HDRI builds, Quantum is a floating-point type, so pixel index values can be negative. An attacker can craft an image with negative pixel index values to trigger a global buffer overflow read during conversion, leading to information disclosure or a process crash. Versions 7.1.2-15 and 6.9.13-40 contain a patch.

CVE-2026-25987

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, a heap buffer over-read vulnerability exists in the MAP image decoder when processing crafted MAP files, potentially leading to crashes or unintended memory disclosure during image decoding. Versions 7.1.2-15 and 6.9.13-40 contain a patch.

CVE-2026-26284

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, ImageMagick lacks proper boundary checking when processing Huffman-coded data from PCD (Photo CD) files. The decoder contains an function that has an incorrect initialization that could cause an out of bounds read. Versions 7.1.2-15 and 6.9.13-40 contain a patch.

CVE-2025-55298

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to ImageMagick versions 6.9.13-28 and 7.1.2-2, a format string bug vulnerability exists in InterpretImageFilename function where user input is directly passed to FormatLocaleString without proper sanitization. An attacker can overwrite arbitrary memory regions, enabling a wide range of attacks from heap overflow to remote code execution. This issue has been patched in versions 6.9.13-28 and 7.1.2-2.

CVE-2025-57803

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-28 and 7.1.2-2 for ImageMagick's 32-bit build, a 32-bit integer overflow in the BMP encoder’s scanline-stride computation collapses bytes_per_line (stride) to a tiny value while the per-row writer still emits 3 × width bytes for 24-bpp images. The row base pointer advances using the (overflowed) stride, so the first row immediately writes past its slot and into adjacent heap memory with attacker-controlled bytes. This is a classic, powerful primitive for heap corruption in common auto-convert pipelines. This issue has been patched in versions 6.9.13-28 and 7.1.2-2.

CVE-2026-25794

ImageMagick is free and open-source software used for editing and manipulating digital images. WriteUHDRImage in coders/uhdr.c uses int arithmetic to compute the pixel buffer size. Prior to version 7.1.2-15, when image dimensions are large, the multiplication overflows 32-bit int, causing an undersized heap allocation followed by an out-of-bounds write. This can crash the process or potentially lead to an out of bounds heap write. Version 7.1.2-15 contains a patch.

CVE-2026-28693

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-16 and 6.9.13-41, an integer overflow in DIB coder can result in out of bounds read or write. This vulnerability is fixed in 7.1.2-16 and 6.9.13-41.

CVE-2025-55154

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-27 and 7.1.2-1, the magnified size calculations in ReadOneMNGIMage (in coders/png.c) are unsafe and can overflow, leading to memory corruption. This issue has been patched in versions 6.9.13-27 and 7.1.2-1.

CVE-2026-25966

ImageMagick is free and open-source software used for editing and manipulating digital images. The shipped "secure" security policy includes a rule intended to prevent reading/writing from standard streams. However, ImageMagick also supports fd: pseudo-filenames (e.g., fd:0, fd:1). Prior to versions 7.1.2-15 and 6.9.13-40, this path form is not blocked by the secure policy templates, and therefore bypasses the protection goal of "no stdin/stdout." Versions 7.1.2-15 and 6.9.13-40 contain a patch by including a change to the more secure policies by default. As a workaround, add the change to one's security policy manually.

CVE-2026-30883

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-16 and 6.9.13-41, an extremely large image profile could result in a heap overflow when encoding a PNG image. This vulnerability is fixed in 7.1.2-16 and 6.9.13-41.

CVE-2026-30929

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-16 and 6.9.13-41, MagnifyImage uses a fixed-size stack buffer. When using a specific image it is possible to overflow this buffer and corrupt the stack. This vulnerability is fixed in 7.1.2-16 and 6.9.13-41.

CVE-2026-30931

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-16, a heap-based buffer overflow in the UHDR encoder can happen due to truncation of a value and it would allow an out of bounds write. This vulnerability is fixed in 7.1.2-16.

CVE-2025-53015

ImageMagick is free and open-source software used for editing and manipulating digital images. In versions prior to 7.1.2-0, infinite lines occur when writing during a specific XMP file conversion command. Version 7.1.2-0 fixes the issue.

CVE-2025-53019

ImageMagick is free and open-source software used for editing and manipulating digital images. In versions prior to 7.1.2-0 and 6.9.13-26, in ImageMagick's magick stream command, specifying multiple consecutive %d format specifiers in a filename template causes a memory leak. Versions 7.1.2-0 and 6.9.13-26 fix the issue.

CVE-2025-55212

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-28 and 7.1.2-2, passing a geometry string containing only a colon (":") to montage -geometry leads GetGeometry() to set width/height to 0. Later, ThumbnailImage() divides by these zero dimensions, triggering a crash (SIGFPE/abort), resulting in a denial of service. This issue has been patched in versions 6.9.13-28 and 7.1.2-2.

CVE-2025-62171

ImageMagick is an open source software suite for displaying, converting, and editing raster image files. In ImageMagick versions prior to 7.1.2-7 and 6.9.13-32, an integer overflow vulnerability exists in the BMP decoder on 32-bit systems. The vulnerability occurs in coders/bmp.c when calculating the extent value by multiplying image columns by bits per pixel. On 32-bit systems with size_t of 4 bytes, a malicious BMP file with specific dimensions can cause this multiplication to overflow and wrap to zero. The overflow check added to address CVE-2025-57803 is placed after the overflow occurs, making it ineffective. A specially crafted 58-byte BMP file with width set to 536,870,912 and 32 bits per pixel can trigger this overflow, causing the bytes_per_line calculation to become zero. This vulnerability only affects 32-bit builds of ImageMagick where default resource limits for width, height, and area have been manually increased beyond their defaults. 64-bit systems with size_t of 8 bytes are not vulnerable, and systems using default ImageMagick resource limits are not vulnerable. The vulnerability is fixed in versions 7.1.2-7 and 6.9.13-32.

CVE-2025-66628

ImageMagick is a software suite to create, edit, compose, or convert bitmap images. In versions 7.1.2-9 and prior, the TIM (PSX TIM) image parser contains a critical integer overflow vulnerability in its ReadTIMImage function (coders/tim.c). The code reads width and height (16-bit values) from the file header and calculates image_size = 2 * width * height without checking for overflow. On 32-bit systems (or where size_t is 32-bit), this calculation can overflow if width and height are large (e.g., 65535), wrapping around to a small value. This results in a small heap allocation via AcquireQuantumMemory and later operations relying on the dimensions can trigger an out of bounds read. This issue is fixed in version 7.1.2-10.

CVE-2025-68618

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to version 7.1.2-12, using Magick to read a malicious SVG file resulted in a DoS attack. Version 7.1.2-12 fixes the issue.

CVE-2025-69204

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to version 7.1.2-12, in the WriteSVGImage function, using an int variable to store number_attributes caused an integer overflow. This, in turn, triggered a buffer overflow and caused a DoS attack. Version 7.1.2-12 fixes the issue.

CVE-2026-23952

ImageMagick is free and open-source software used for editing and manipulating digital images. Versions 14.10.1 and below have a NULL pointer dereference vulnerability in the MSL (Magick Scripting Language) parser when processing tags before images are loaded. This can lead to DoS attack due to assertion failure (debug builds) or NULL pointer dereference (release builds). This issue is fixed in version 14.10.2.

CVE-2026-24481

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, a heap information disclosure vulnerability exists in ImageMagick's PSD (Adobe Photoshop) format handler. When processing a maliciously crafted PSD file containing ZIP-compressed layer data that decompresses to less than the expected size, uninitialized heap memory is leaked into the output image. Versions 7.1.2-15 and 6.9.13-40 contain a patch.

CVE-2026-24485

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, when a PCD file does not contain a valid Sync marker, the DecodeImage() function becomes trapped in an infinite loop while searching for the Sync marker, causing the program to become unresponsive and continuously consume CPU resources, ultimately leading to system resource exhaustion and denial of service. Versions 7.1.2-15 and 6.9.13-40 contain a patch.

CVE-2026-25795

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, in ReadSFWImage() (coders/sfw.c), when temporary file creation fails, read_info is destroyed before its filename member is accessed, causing a NULL pointer dereference and crash. Versions 7.1.2-15 and 6.9.13-40 contain a patch.

CVE-2026-25796

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, in ReadSTEGANOImage() (coders/stegano.c), the watermark Image object is not freed on three early-return paths, resulting in a definite memory leak (~13.5KB+ per invocation) that can be exploited for denial of service. Versions 7.1.2-15 and 6.9.13-40 contain a patch.

CVE-2026-25798

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, a NULL pointer dereference in ClonePixelCacheRepository allows a remote attacker to crash any application linked against ImageMagick by supplying a crafted image file, resulting in denial of service. Versions 7.1.2-15 and 6.9.13-40 contain a patch.

CVE-2026-25799

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, a logic error in YUV sampling factor validation allows an invalid sampling factor to bypass checks and trigger a division-by-zero during image loading, resulting in a reliable denial-of-service. Versions 7.1.2-15 and 6.9.13-40 contain a patch.

CVE-2026-25965

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, ImageMagick’s path security policy is enforced on the raw filename string before the filesystem resolves it. As a result, a policy rule such as /etc/* can be bypassed by a path traversal. The OS resolves the traversal and opens the sensitive file, but the policy matcher only sees the unnormalized path and therefore allows the read. This enables local file disclosure (LFI) even when policy-secure.xml is applied. Actions to prevent reading from files have been taken in versions .7.1.2-15 and 6.9.13-40 But it make sure writing is also not possible the following should be added to one's policy. This will also be included in ImageMagick's more secure policies by default.

CVE-2026-25967

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to version 7.1.2-15, a stack-based buffer overflow exists in the ImageMagick FTXT image reader. A crafted FTXT file can cause out-of-bounds writes on the stack, leading to a crash. Version 7.1.2-15 contains a patch.

CVE-2026-25969

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to version 7.1.2-15, a memory leak exists in coders/ashlar.c. The WriteASHLARImage allocates a structure. However, when an exception is thrown, the allocated memory is not properly released, resulting in a potential memory leak. Version 7.1.2-15 contains a patch.

CVE-2026-25970

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, a signed integer overflow vulnerability in ImageMagick's SIXEL decoder allows an attacker to trigger memory corruption and denial of service when processing a maliciously crafted SIXEL image file. The vulnerability occurs during buffer reallocation operations where pointer arithmetic using signed 32-bit integers overflows. Versions 7.1.2-15 and 6.9.13-40 contain a patch.

CVE-2026-25985

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, a crafted SVG file containing an malicious element causes ImageMagick to attempt to allocate ~674 GB of memory, leading to an out-of-memory abort. Versions 7.1.2-15 and 6.9.13-40 contain a patch.

CVE-2026-25988

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, sometimes msl.c fails to update the stack index, so an image is stored in the wrong slot and never freed on error, causing leaks. Versions 7.1.2-15 and 6.9.13-40 contain a patch.

CVE-2026-25989

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, a crafted SVG file can cause a denial of service. An off-by-one boundary check (> instead of >=) that allows bypass the guard and reach an undefined (size_t) cast. Versions 7.1.2-15 and 6.9.13-40 contain a patch.

CVE-2026-26066

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, a crafted profile contain invalid IPTC data may cause an infinite loop when writing it with IPTCTEXT. Versions 7.1.2-15 and 6.9.13-40 contain a patch.

CVE-2026-26283

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, a continue statement in the JPEG extent binary search loop in the jpeg encoder causes an infinite loop when writing persistently fails. An attacker can trigger a 100% CPU consumption and process hang (Denial of Service) with a crafted image. Versions 7.1.2-15 and 6.9.13-40 contain a patch.

CVE-2026-28691

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-16 and 6.9.13-41, an uninitialized pointer dereference vulnerability exists in the JBIG decoder due to a missing check. This vulnerability is fixed in 7.1.2-16 and 6.9.13-41.

CVE-2026-32636

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to 7.1.2-17 and 6.9.13-42, the NewXMLTree method contains a bug that could result in a crash due to an out of write bounds of a single zero byte. Versions 7.1.2-17 and 6.9.13-42 fix the issue.

CVE-2026-33900

ImageMagick is free and open-source software used for editing and manipulating digital images. In versions below both 7.1.2-19 and 6.9.13-44, the viff encoder contains an integer truncation/wraparound issue on 32-bit builds that could trigger an out of bounds heap write, potentially causing a crash. This issue has been fixed in versions 6.9.13-44 and 7.1.2-19.

CVE-2026-33901

ImageMagick is free and open-source software used for editing and manipulating digital images. In versions below both 7.1.2-19 and 6.9.13-44, a heap buffer overflow occurs in the MVG decoder that could result in an out of bounds write when processing a crafted image. This issue has been fixed in versions 6.9.13-44 and 7.1.2-19.

CVE-2026-33908

ImageMagick is free and open-source software used for editing and manipulating digital images. In versions below both 7.1.2-19 and 6.9.13-44, Magick frees the memory of the XML tree via the DestroyXMLTree() function; however, this process is executed recursively with no depth limit imposed. When Magick processes an XML file with deeply nested structures, it will exhaust the stack memory, resulting in a Denial of Service (DoS) attack. This issue has been fixed in versions 6.9.13-44 and 7.1.2-19.

CVE-2026-27798

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, a heap buffer over-read vulnerability occurs when processing an image with small dimension using the -wavelet-denoise operator. Versions 7.1.2-15 and 6.9.13-40 contain a patch.

CVE-2026-28494

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-16 and 6.9.13-41, a stack buffer overflow exists in ImageMagick's morphology kernel parsing functions. User-controlled kernel strings exceeding a buffer are copied into fixed-size stack buffers via memcpy without bounds checking, resulting in stack corruption. This vulnerability is fixed in 7.1.2-16 and 6.9.13-41.

CVE-2026-33905

ImageMagick is free and open-source software used for editing and manipulating digital images. In versions below both 7.1.2-19 and 6.9.13-44, the -sample operation has an out of bounds read when an specific offset is set through the sample:offset define that could lead to an out of bounds read. This issue has been fixed in versions 6.9.13-44 and 7.1.2-19.

Scanner integration / Интеграция со сканером

This issue was generated from niceos_cve_matches after the SPEC/Forgejo evidence pass.
After real creation, this script writes forgejo_issue_open rows into niceos_cve_evidence and marks the selected CVE rows as issue_open, so the next scanner/creator run does not duplicate the issue.

Maintainer checklist

Verify whether each CVE applies to the NiceOS build.
Compare NVD data with upstream/vendor advisory.
Set final NiceOS status: affected, fixed, not_affected, false_positive, deferred, or not_in_cloud_image.
If affected, decide update/backport strategy according to package policy class.
Run package-class-specific build, upgrade and regression tests.
Add/update niceos_cve_triage entry.
Create NICE-SA advisory if a security update is shipped.

Machine metadata

{
  "cves": [
    "CVE-2025-53014",
    "CVE-2025-53015",
    "CVE-2025-53019",
    "CVE-2025-53101",
    "CVE-2025-55154",
    "CVE-2025-55212",
    "CVE-2025-55298",
    "CVE-2025-57803",
    "CVE-2025-57807",
    "CVE-2025-62171",
    "CVE-2025-66628",
    "CVE-2025-68618",
    "CVE-2025-69204",
    "CVE-2026-22770",
    "CVE-2026-23876",
    "CVE-2026-23952",
    "CVE-2026-24481",
    "CVE-2026-24485",
    "CVE-2026-25794",
    "CVE-2026-25795",
    "CVE-2026-25796",
    "CVE-2026-25798",
    "CVE-2026-25799",
    "CVE-2026-25897",
    "CVE-2026-25898",
    "CVE-2026-25965",
    "CVE-2026-25966",
    "CVE-2026-25967",
    "CVE-2026-25968",
    "CVE-2026-25969",
    "CVE-2026-25970",
    "CVE-2026-25971",
    "CVE-2026-25983",
    "CVE-2026-25985",
    "CVE-2026-25986",
    "CVE-2026-25987",
    "CVE-2026-25988",
    "CVE-2026-25989",
    "CVE-2026-26066",
    "CVE-2026-26283",
    "CVE-2026-26284",
    "CVE-2026-27798",
    "CVE-2026-28494",
    "CVE-2026-28691",
    "CVE-2026-28693",
    "CVE-2026-30883",
    "CVE-2026-30929",
    "CVE-2026-30931",
    "CVE-2026-32636",
    "CVE-2026-33900",
    "CVE-2026-33901",
    "CVE-2026-33905",
    "CVE-2026-33908"
  ],
  "fingerprint": "0ce812e5aa89087e601c",
  "generated_at": "2026-05-25T17:43:21Z",
  "match_ids": [
    978,
    979,
    980,
    981,
    984,
    986,
    987,
    988,
    989,
    990,
    993,
    994,
    996,
    997,
    999,
    1000,
    1001,
    1003,
    1007,
    1008,
    1009,
    1011,
    1012,
    1013,
    1014,
    1015,
    1016,
    1017,
    1018,
    1019,
    1020,
    1021,
    1023,
    1024,
    1025,
    1026,
    1027,
    1028,
    1029,
    1030,
    1031,
    1033,
    1036,
    1042,
    1044,
    1045,
    1046,
    1047,
    1053,
    1057,
    1058,
    1060,
    1061
  ],
  "match_types": [
    "cpe-range"
  ],
  "package": "ImageMagick",
  "prompt_version": "niceos_cve_issue_analysis_v2",
  "statuses": [
    "needs_triage"
  ],
  "tool": "niceos_cve_create_issues.py",
  "tool_version": "2.0",
  "version": "7.1.1.47"
}

# CVE triage request / Запрос на разбор CVE ## Package / Пакет - Package: `ImageMagick` - Version: `7.1.1.47` - EVR: `1:7.1.1.47-1` - Category: `-` - Policy class: `-` - NiceOS policy class: `-` - Owner: `-` - Severity: `CRITICAL` - Max CVSS: `9.8` - CVE count: `53` - Included NiceOS statuses: `needs_triage` - Included match types: `cpe-range` ## LLM recommendation / Рекомендация LLM ### RU Для пакета ImageMagick 7.1.1.47 найдены CVE-кандидаты по данным NVD/CPE: CVE-2025-53014, CVE-2025-53015, CVE-2025-53019, CVE-2025-53101, CVE-2025-55154, CVE-2025-55212, CVE-2025-55298, CVE-2025-57803, CVE-2025-57807, CVE-2025-62171, CVE-2025-66628, CVE-2025-68618, CVE-2025-69204, CVE-2026-22770, CVE-2026-23876, CVE-2026-23952, CVE-2026-24481, CVE-2026-24485, CVE-2026-25794, CVE-2026-25795, CVE-2026-25796, CVE-2026-25798, CVE-2026-25799, CVE-2026-25897, CVE-2026-25898, CVE-2026-25965, CVE-2026-25966, CVE-2026-25967, CVE-2026-25968, CVE-2026-25969, CVE-2026-25970, CVE-2026-25971, CVE-2026-25983, CVE-2026-25985, CVE-2026-25986, CVE-2026-25987, CVE-2026-25988, CVE-2026-25989, CVE-2026-26066, CVE-2026-26283, CVE-2026-26284, CVE-2026-27798, CVE-2026-28494, CVE-2026-28691, CVE-2026-28693, CVE-2026-30883, CVE-2026-30929, CVE-2026-30931, CVE-2026-32636, CVE-2026-33900, CVE-2026-33901, CVE-2026-33905, CVE-2026-33908. Требуется triage security-team. Проверить применимость CVE к сборке НАЙС.ОС, сопоставить с upstream/vendor advisory, определить статус affected/fixed/not_affected и при необходимости подготовить обновление пакета. **Рекомендуемое действие:** `needs_triage` **Подсказка по целевой версии:** `-` **Проверки:** Проверить сборку RPM, обновление пакета, совместимость зависимостей, service/CLI smoke tests и регрессионные сценарии по классу пакета. **Риски:** Автоматическое совпадение NVD/CPE не является финальным вердиктом по НАЙС.ОС. ### EN NVD/CPE candidate CVEs were found for ImageMagick 7.1.1.47: CVE-2025-53014, CVE-2025-53015, CVE-2025-53019, CVE-2025-53101, CVE-2025-55154, CVE-2025-55212, CVE-2025-55298, CVE-2025-57803, CVE-2025-57807, CVE-2025-62171, CVE-2025-66628, CVE-2025-68618, CVE-2025-69204, CVE-2026-22770, CVE-2026-23876, CVE-2026-23952, CVE-2026-24481, CVE-2026-24485, CVE-2026-25794, CVE-2026-25795, CVE-2026-25796, CVE-2026-25798, CVE-2026-25799, CVE-2026-25897, CVE-2026-25898, CVE-2026-25965, CVE-2026-25966, CVE-2026-25967, CVE-2026-25968, CVE-2026-25969, CVE-2026-25970, CVE-2026-25971, CVE-2026-25983, CVE-2026-25985, CVE-2026-25986, CVE-2026-25987, CVE-2026-25988, CVE-2026-25989, CVE-2026-26066, CVE-2026-26283, CVE-2026-26284, CVE-2026-27798, CVE-2026-28494, CVE-2026-28691, CVE-2026-28693, CVE-2026-30883, CVE-2026-30929, CVE-2026-30931, CVE-2026-32636, CVE-2026-33900, CVE-2026-33901, CVE-2026-33905, CVE-2026-33908. Security-team triage is required. Verify CVE applicability to the NiceOS build, compare with upstream/vendor advisories, set affected/fixed/not_affected status, and prepare a package update if required. **Recommended action:** `needs_triage` **Target version hint:** `-` **Tests:** Run RPM build, package upgrade, dependency compatibility, service/CLI smoke tests, and package-class-specific regression tests. **Risks:** An automatic NVD/CPE match is not the final NiceOS vulnerability verdict. ## CVE candidates from NVD/CPE | CVE | Severity | CVSS | Match | Confidence | NiceOS status | Fixed in | Existing issue | Reason | |---|---|---:|---|---:|---|---|---|---| | CVE-2025-53014 | CRITICAL | 9.8 | cpe-range | 85 | needs_triage | | | package version is inside version range | | CVE-2025-53101 | CRITICAL | 9.8 | cpe-range | 85 | needs_triage | | | package version is inside version range | | CVE-2025-57807 | CRITICAL | 9.8 | cpe-range | 85 | needs_triage | | | package version is inside version range | | CVE-2026-22770 | CRITICAL | 9.8 | cpe-range | 85 | needs_triage | | | package version is inside version range | | CVE-2026-23876 | CRITICAL | 9.8 | cpe-range | 85 | needs_triage | | | package version is inside version range | | CVE-2026-25897 | CRITICAL | 9.8 | cpe-range | 85 | needs_triage | | | package version is inside version range | | CVE-2026-25968 | CRITICAL | 9.8 | cpe-range | 85 | needs_triage | | | package version is inside version range | | CVE-2026-25971 | CRITICAL | 9.8 | cpe-range | 85 | needs_triage | | | package version is inside version range | | CVE-2026-25983 | CRITICAL | 9.8 | cpe-range | 85 | needs_triage | | | package version is inside version range | | CVE-2026-25986 | CRITICAL | 9.8 | cpe-range | 85 | needs_triage | | | package version is inside version range | | CVE-2026-25898 | CRITICAL | 9.1 | cpe-range | 85 | needs_triage | | | package version is inside version range | | CVE-2026-25987 | CRITICAL | 9.1 | cpe-range | 85 | needs_triage | | | package version is inside version range | | CVE-2026-26284 | CRITICAL | 9.1 | cpe-range | 85 | needs_triage | | | package version is inside version range | | CVE-2025-55298 | HIGH | 8.8 | cpe-range | 85 | needs_triage | | | package version is inside version range | | CVE-2025-57803 | HIGH | 8.8 | cpe-range | 85 | needs_triage | | | package version is inside version range | | CVE-2026-25794 | HIGH | 8.2 | cpe-range | 85 | needs_triage | | | package version is inside version range | | CVE-2026-28693 | HIGH | 8.1 | cpe-range | 85 | needs_triage | | | package version is inside version range | | CVE-2025-55154 | HIGH | 7.8 | cpe-range | 85 | needs_triage | | | package version is inside version range | | CVE-2026-25966 | HIGH | 7.8 | cpe-range | 85 | needs_triage | | | package version is inside version range | | CVE-2026-30883 | HIGH | 7.8 | cpe-range | 85 | needs_triage | | | package version is inside version range | | CVE-2026-30929 | HIGH | 7.8 | cpe-range | 85 | needs_triage | | | package version is inside version range | | CVE-2026-30931 | HIGH | 7.8 | cpe-range | 85 | needs_triage | | | package version is inside version range | | CVE-2025-53015 | HIGH | 7.5 | cpe-range | 85 | needs_triage | | | package version is inside version range | | CVE-2025-53019 | HIGH | 7.5 | cpe-range | 85 | needs_triage | | | package version is inside version range | | CVE-2025-55212 | HIGH | 7.5 | cpe-range | 85 | needs_triage | | | package version is inside version range | | CVE-2025-62171 | HIGH | 7.5 | cpe-range | 85 | needs_triage | | | package version is inside version range | | CVE-2025-66628 | HIGH | 7.5 | cpe-range | 85 | needs_triage | | | package version is inside version range | | CVE-2025-68618 | HIGH | 7.5 | cpe-range | 85 | needs_triage | | | package version is inside version range | | CVE-2025-69204 | HIGH | 7.5 | cpe-range | 85 | needs_triage | | | package version is inside version range | | CVE-2026-23952 | HIGH | 7.5 | cpe-range | 85 | needs_triage | | | package version is inside version range | | CVE-2026-24481 | HIGH | 7.5 | cpe-range | 85 | needs_triage | | | package version is inside version range | | CVE-2026-24485 | HIGH | 7.5 | cpe-range | 85 | needs_triage | | | package version is inside version range | | CVE-2026-25795 | HIGH | 7.5 | cpe-range | 85 | needs_triage | | | package version is inside version range | | CVE-2026-25796 | HIGH | 7.5 | cpe-range | 85 | needs_triage | | | package version is inside version range | | CVE-2026-25798 | HIGH | 7.5 | cpe-range | 85 | needs_triage | | | package version is inside version range | | CVE-2026-25799 | HIGH | 7.5 | cpe-range | 85 | needs_triage | | | package version is inside version range | | CVE-2026-25965 | HIGH | 7.5 | cpe-range | 85 | needs_triage | | | package version is inside version range | | CVE-2026-25967 | HIGH | 7.5 | cpe-range | 85 | needs_triage | | | package version is inside version range | | CVE-2026-25969 | HIGH | 7.5 | cpe-range | 85 | needs_triage | | | package version is inside version range | | CVE-2026-25970 | HIGH | 7.5 | cpe-range | 85 | needs_triage | | | package version is inside version range | | CVE-2026-25985 | HIGH | 7.5 | cpe-range | 85 | needs_triage | | | package version is inside version range | | CVE-2026-25988 | HIGH | 7.5 | cpe-range | 85 | needs_triage | | | package version is inside version range | | CVE-2026-25989 | HIGH | 7.5 | cpe-range | 85 | needs_triage | | | package version is inside version range | | CVE-2026-26066 | HIGH | 7.5 | cpe-range | 85 | needs_triage | | | package version is inside version range | | CVE-2026-26283 | HIGH | 7.5 | cpe-range | 85 | needs_triage | | | package version is inside version range | | CVE-2026-28691 | HIGH | 7.5 | cpe-range | 85 | needs_triage | | | package version is inside version range | | CVE-2026-32636 | HIGH | 7.5 | cpe-range | 85 | needs_triage | | | package version is inside version range | | CVE-2026-33900 | HIGH | 7.5 | cpe-range | 85 | needs_triage | | | package version is inside version range | | CVE-2026-33901 | HIGH | 7.5 | cpe-range | 85 | needs_triage | | | package version is inside version range | | CVE-2026-33908 | HIGH | 7.5 | cpe-range | 85 | needs_triage | | | package version is inside version range | | CVE-2026-27798 | HIGH | 7.1 | cpe-range | 85 | needs_triage | | | package version is inside version range | | CVE-2026-28494 | HIGH | 7.1 | cpe-range | 85 | needs_triage | | | package version is inside version range | | CVE-2026-33905 | HIGH | 7.1 | cpe-range | 85 | needs_triage | | | package version is inside version range | ## Descriptions ### CVE-2025-53014 ImageMagick is free and open-source software used for editing and manipulating digital images. Versions prior to 7.1.2-0 and 6.9.13-26 have a heap buffer overflow in the `InterpretImageFilename` function. The issue stems from an off-by-one error that causes out-of-bounds memory access when processing format strings containing consecutive percent signs (`%%`). Versions 7.1.2-0 and 6.9.13-26 fix the issue. ### CVE-2025-53101 ImageMagick is free and open-source software used for editing and manipulating digital images. In versions prior to 7.1.2-0 and 6.9.13-26, in ImageMagick's `magick mogrify` command, specifying multiple consecutive `%d` format specifiers in a filename template causes internal pointer arithmetic to generate an address below the beginning of the stack buffer, resulting in a stack overflow through `vsnprintf()`. Versions 7.1.2-0 and 6.9.13-26 fix the issue. ### CVE-2025-57807 ImageMagick is free and open-source software used for editing and manipulating digital images. ImageMagick versions lower than 14.8.2 include insecure functions: SeekBlob(), which permits advancing the stream offset beyond the current end without increasing capacity, and WriteBlob(), which then expands by quantum + length (amortized) instead of offset + length, and copies to data + offset. When offset ≫ extent, the copy targets memory beyond the allocation, producing a deterministic heap write on 64-bit builds. No 2⁶⁴ arithmetic wrap, external delegates, or policy settings are required. This is fixed in version 14.8.2. ### CVE-2026-22770 ImageMagick is free and open-source software used for editing and manipulating digital images. The BilateralBlurImage method will allocate a set of double buffers inside AcquireBilateralTLS. But, in versions prior to 7.1.2-13, the last element in the set is not properly initialized. This will result in a release of an invalid pointer inside DestroyBilateralTLS when the memory allocation fails. Version 7.1.2-13 contains a patch for the issue. ### CVE-2026-23876 ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-13 and 6.9.13-38, a heap buffer overflow vulnerability in the XBM image decoder (ReadXBMImage) allows an attacker to write controlled data past the allocated heap buffer when processing a maliciously crafted image file. Any operation that reads or identifies an image can trigger the overflow, making it exploitable via common image upload and processing pipelines. Versions 7.1.2-13 and 6.9.13-38 fix the issue. ### CVE-2026-25897 ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, an Integer Overflow vulnerability exists in the sun decoder. On 32-bit systems/builds, a carefully crafted image can lead to an out of bounds heap write. Versions 7.1.2-15 and 6.9.13-40 contain a patch. ### CVE-2026-25968 ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, a stack buffer overflow occurs when processing the an attribute in msl.c. A long value overflows a fixed-size stack buffer, leading to memory corruption. Versions 7.1.2-15 and 6.9.13-40 contain a patch. ### CVE-2026-25971 ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, Magick fails to check for circular references between two MSLs, leading to a stack overflow. Versions 7.1.2-15 and 6.9.13-40 contain a patch. ### CVE-2026-25983 ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, a crafted MSL script triggers a heap-use-after-free. The operation element handler replaces and frees the image while the parser continues reading from it, leading to a UAF in ReadBlobString during further parsing. Versions 7.1.2-15 and 6.9.13-40 contain a patch. ### CVE-2026-25986 ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, a heap buffer overflow write vulnerability exists in ReadYUVImage() (coders/yuv.c) when processing malicious YUV 4:2:2 (NoInterlace) images. The pixel-pair loop writes one pixel beyond the allocated row buffer. Versions 7.1.2-15 and 6.9.13-40 contain a patch. ### CVE-2026-25898 ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, the UIL and XPM image encoder do not validate the pixel index value returned by `GetPixelIndex()` before using it as an array subscript. In HDRI builds, `Quantum` is a floating-point type, so pixel index values can be negative. An attacker can craft an image with negative pixel index values to trigger a global buffer overflow read during conversion, leading to information disclosure or a process crash. Versions 7.1.2-15 and 6.9.13-40 contain a patch. ### CVE-2026-25987 ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, a heap buffer over-read vulnerability exists in the MAP image decoder when processing crafted MAP files, potentially leading to crashes or unintended memory disclosure during image decoding. Versions 7.1.2-15 and 6.9.13-40 contain a patch. ### CVE-2026-26284 ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, ImageMagick lacks proper boundary checking when processing Huffman-coded data from PCD (Photo CD) files. The decoder contains an function that has an incorrect initialization that could cause an out of bounds read. Versions 7.1.2-15 and 6.9.13-40 contain a patch. ### CVE-2025-55298 ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to ImageMagick versions 6.9.13-28 and 7.1.2-2, a format string bug vulnerability exists in InterpretImageFilename function where user input is directly passed to FormatLocaleString without proper sanitization. An attacker can overwrite arbitrary memory regions, enabling a wide range of attacks from heap overflow to remote code execution. This issue has been patched in versions 6.9.13-28 and 7.1.2-2. ### CVE-2025-57803 ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-28 and 7.1.2-2 for ImageMagick's 32-bit build, a 32-bit integer overflow in the BMP encoder’s scanline-stride computation collapses bytes_per_line (stride) to a tiny value while the per-row writer still emits 3 × width bytes for 24-bpp images. The row base pointer advances using the (overflowed) stride, so the first row immediately writes past its slot and into adjacent heap memory with attacker-controlled bytes. This is a classic, powerful primitive for heap corruption in common auto-convert pipelines. This issue has been patched in versions 6.9.13-28 and 7.1.2-2. ### CVE-2026-25794 ImageMagick is free and open-source software used for editing and manipulating digital images. `WriteUHDRImage` in `coders/uhdr.c` uses `int` arithmetic to compute the pixel buffer size. Prior to version 7.1.2-15, when image dimensions are large, the multiplication overflows 32-bit `int`, causing an undersized heap allocation followed by an out-of-bounds write. This can crash the process or potentially lead to an out of bounds heap write. Version 7.1.2-15 contains a patch. ### CVE-2026-28693 ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-16 and 6.9.13-41, an integer overflow in DIB coder can result in out of bounds read or write. This vulnerability is fixed in 7.1.2-16 and 6.9.13-41. ### CVE-2025-55154 ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-27 and 7.1.2-1, the magnified size calculations in ReadOneMNGIMage (in coders/png.c) are unsafe and can overflow, leading to memory corruption. This issue has been patched in versions 6.9.13-27 and 7.1.2-1. ### CVE-2026-25966 ImageMagick is free and open-source software used for editing and manipulating digital images. The shipped "secure" security policy includes a rule intended to prevent reading/writing from standard streams. However, ImageMagick also supports fd:<n> pseudo-filenames (e.g., fd:0, fd:1). Prior to versions 7.1.2-15 and 6.9.13-40, this path form is not blocked by the secure policy templates, and therefore bypasses the protection goal of "no stdin/stdout." Versions 7.1.2-15 and 6.9.13-40 contain a patch by including a change to the more secure policies by default. As a workaround, add the change to one's security policy manually. ### CVE-2026-30883 ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-16 and 6.9.13-41, an extremely large image profile could result in a heap overflow when encoding a PNG image. This vulnerability is fixed in 7.1.2-16 and 6.9.13-41. ### CVE-2026-30929 ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-16 and 6.9.13-41, MagnifyImage uses a fixed-size stack buffer. When using a specific image it is possible to overflow this buffer and corrupt the stack. This vulnerability is fixed in 7.1.2-16 and 6.9.13-41. ### CVE-2026-30931 ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-16, a heap-based buffer overflow in the UHDR encoder can happen due to truncation of a value and it would allow an out of bounds write. This vulnerability is fixed in 7.1.2-16. ### CVE-2025-53015 ImageMagick is free and open-source software used for editing and manipulating digital images. In versions prior to 7.1.2-0, infinite lines occur when writing during a specific XMP file conversion command. Version 7.1.2-0 fixes the issue. ### CVE-2025-53019 ImageMagick is free and open-source software used for editing and manipulating digital images. In versions prior to 7.1.2-0 and 6.9.13-26, in ImageMagick's `magick stream` command, specifying multiple consecutive `%d` format specifiers in a filename template causes a memory leak. Versions 7.1.2-0 and 6.9.13-26 fix the issue. ### CVE-2025-55212 ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-28 and 7.1.2-2, passing a geometry string containing only a colon (":") to montage -geometry leads GetGeometry() to set width/height to 0. Later, ThumbnailImage() divides by these zero dimensions, triggering a crash (SIGFPE/abort), resulting in a denial of service. This issue has been patched in versions 6.9.13-28 and 7.1.2-2. ### CVE-2025-62171 ImageMagick is an open source software suite for displaying, converting, and editing raster image files. In ImageMagick versions prior to 7.1.2-7 and 6.9.13-32, an integer overflow vulnerability exists in the BMP decoder on 32-bit systems. The vulnerability occurs in coders/bmp.c when calculating the extent value by multiplying image columns by bits per pixel. On 32-bit systems with size_t of 4 bytes, a malicious BMP file with specific dimensions can cause this multiplication to overflow and wrap to zero. The overflow check added to address CVE-2025-57803 is placed after the overflow occurs, making it ineffective. A specially crafted 58-byte BMP file with width set to 536,870,912 and 32 bits per pixel can trigger this overflow, causing the bytes_per_line calculation to become zero. This vulnerability only affects 32-bit builds of ImageMagick where default resource limits for width, height, and area have been manually increased beyond their defaults. 64-bit systems with size_t of 8 bytes are not vulnerable, and systems using default ImageMagick resource limits are not vulnerable. The vulnerability is fixed in versions 7.1.2-7 and 6.9.13-32. ### CVE-2025-66628 ImageMagick is a software suite to create, edit, compose, or convert bitmap images. In versions 7.1.2-9 and prior, the TIM (PSX TIM) image parser contains a critical integer overflow vulnerability in its ReadTIMImage function (coders/tim.c). The code reads width and height (16-bit values) from the file header and calculates image_size = 2 * width * height without checking for overflow. On 32-bit systems (or where size_t is 32-bit), this calculation can overflow if width and height are large (e.g., 65535), wrapping around to a small value. This results in a small heap allocation via AcquireQuantumMemory and later operations relying on the dimensions can trigger an out of bounds read. This issue is fixed in version 7.1.2-10. ### CVE-2025-68618 ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to version 7.1.2-12, using Magick to read a malicious SVG file resulted in a DoS attack. Version 7.1.2-12 fixes the issue. ### CVE-2025-69204 ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to version 7.1.2-12, in the WriteSVGImage function, using an int variable to store number_attributes caused an integer overflow. This, in turn, triggered a buffer overflow and caused a DoS attack. Version 7.1.2-12 fixes the issue. ### CVE-2026-23952 ImageMagick is free and open-source software used for editing and manipulating digital images. Versions 14.10.1 and below have a NULL pointer dereference vulnerability in the MSL (Magick Scripting Language) parser when processing <comment> tags before images are loaded. This can lead to DoS attack due to assertion failure (debug builds) or NULL pointer dereference (release builds). This issue is fixed in version 14.10.2. ### CVE-2026-24481 ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, a heap information disclosure vulnerability exists in ImageMagick's PSD (Adobe Photoshop) format handler. When processing a maliciously crafted PSD file containing ZIP-compressed layer data that decompresses to less than the expected size, uninitialized heap memory is leaked into the output image. Versions 7.1.2-15 and 6.9.13-40 contain a patch. ### CVE-2026-24485 ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, when a PCD file does not contain a valid Sync marker, the DecodeImage() function becomes trapped in an infinite loop while searching for the Sync marker, causing the program to become unresponsive and continuously consume CPU resources, ultimately leading to system resource exhaustion and denial of service. Versions 7.1.2-15 and 6.9.13-40 contain a patch. ### CVE-2026-25795 ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, in `ReadSFWImage()` (`coders/sfw.c`), when temporary file creation fails, `read_info` is destroyed before its `filename` member is accessed, causing a NULL pointer dereference and crash. Versions 7.1.2-15 and 6.9.13-40 contain a patch. ### CVE-2026-25796 ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, in `ReadSTEGANOImage()` (`coders/stegano.c`), the `watermark` Image object is not freed on three early-return paths, resulting in a definite memory leak (~13.5KB+ per invocation) that can be exploited for denial of service. Versions 7.1.2-15 and 6.9.13-40 contain a patch. ### CVE-2026-25798 ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, a NULL pointer dereference in ClonePixelCacheRepository allows a remote attacker to crash any application linked against ImageMagick by supplying a crafted image file, resulting in denial of service. Versions 7.1.2-15 and 6.9.13-40 contain a patch. ### CVE-2026-25799 ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, a logic error in YUV sampling factor validation allows an invalid sampling factor to bypass checks and trigger a division-by-zero during image loading, resulting in a reliable denial-of-service. Versions 7.1.2-15 and 6.9.13-40 contain a patch. ### CVE-2026-25965 ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, ImageMagick’s path security policy is enforced on the raw filename string before the filesystem resolves it. As a result, a policy rule such as /etc/* can be bypassed by a path traversal. The OS resolves the traversal and opens the sensitive file, but the policy matcher only sees the unnormalized path and therefore allows the read. This enables local file disclosure (LFI) even when policy-secure.xml is applied. Actions to prevent reading from files have been taken in versions .7.1.2-15 and 6.9.13-40 But it make sure writing is also not possible the following should be added to one's policy. This will also be included in ImageMagick's more secure policies by default. ### CVE-2026-25967 ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to version 7.1.2-15, a stack-based buffer overflow exists in the ImageMagick FTXT image reader. A crafted FTXT file can cause out-of-bounds writes on the stack, leading to a crash. Version 7.1.2-15 contains a patch. ### CVE-2026-25969 ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to version 7.1.2-15, a memory leak exists in `coders/ashlar.c`. The `WriteASHLARImage` allocates a structure. However, when an exception is thrown, the allocated memory is not properly released, resulting in a potential memory leak. Version 7.1.2-15 contains a patch. ### CVE-2026-25970 ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, a signed integer overflow vulnerability in ImageMagick's SIXEL decoder allows an attacker to trigger memory corruption and denial of service when processing a maliciously crafted SIXEL image file. The vulnerability occurs during buffer reallocation operations where pointer arithmetic using signed 32-bit integers overflows. Versions 7.1.2-15 and 6.9.13-40 contain a patch. ### CVE-2026-25985 ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, a crafted SVG file containing an malicious element causes ImageMagick to attempt to allocate ~674 GB of memory, leading to an out-of-memory abort. Versions 7.1.2-15 and 6.9.13-40 contain a patch. ### CVE-2026-25988 ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, sometimes msl.c fails to update the stack index, so an image is stored in the wrong slot and never freed on error, causing leaks. Versions 7.1.2-15 and 6.9.13-40 contain a patch. ### CVE-2026-25989 ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, a crafted SVG file can cause a denial of service. An off-by-one boundary check (`>` instead of `>=`) that allows bypass the guard and reach an undefined `(size_t)` cast. Versions 7.1.2-15 and 6.9.13-40 contain a patch. ### CVE-2026-26066 ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, a crafted profile contain invalid IPTC data may cause an infinite loop when writing it with `IPTCTEXT`. Versions 7.1.2-15 and 6.9.13-40 contain a patch. ### CVE-2026-26283 ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, a `continue` statement in the JPEG extent binary search loop in the jpeg encoder causes an infinite loop when writing persistently fails. An attacker can trigger a 100% CPU consumption and process hang (Denial of Service) with a crafted image. Versions 7.1.2-15 and 6.9.13-40 contain a patch. ### CVE-2026-28691 ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-16 and 6.9.13-41, an uninitialized pointer dereference vulnerability exists in the JBIG decoder due to a missing check. This vulnerability is fixed in 7.1.2-16 and 6.9.13-41. ### CVE-2026-32636 ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to 7.1.2-17 and 6.9.13-42, the NewXMLTree method contains a bug that could result in a crash due to an out of write bounds of a single zero byte. Versions 7.1.2-17 and 6.9.13-42 fix the issue. ### CVE-2026-33900 ImageMagick is free and open-source software used for editing and manipulating digital images. In versions below both 7.1.2-19 and 6.9.13-44, the viff encoder contains an integer truncation/wraparound issue on 32-bit builds that could trigger an out of bounds heap write, potentially causing a crash. This issue has been fixed in versions 6.9.13-44 and 7.1.2-19. ### CVE-2026-33901 ImageMagick is free and open-source software used for editing and manipulating digital images. In versions below both 7.1.2-19 and 6.9.13-44, a heap buffer overflow occurs in the MVG decoder that could result in an out of bounds write when processing a crafted image. This issue has been fixed in versions 6.9.13-44 and 7.1.2-19. ### CVE-2026-33908 ImageMagick is free and open-source software used for editing and manipulating digital images. In versions below both 7.1.2-19 and 6.9.13-44, Magick frees the memory of the XML tree via the `DestroyXMLTree()` function; however, this process is executed recursively with no depth limit imposed. When Magick processes an XML file with deeply nested structures, it will exhaust the stack memory, resulting in a Denial of Service (DoS) attack. This issue has been fixed in versions 6.9.13-44 and 7.1.2-19. ### CVE-2026-27798 ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, a heap buffer over-read vulnerability occurs when processing an image with small dimension using the `-wavelet-denoise` operator. Versions 7.1.2-15 and 6.9.13-40 contain a patch. ### CVE-2026-28494 ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-16 and 6.9.13-41, a stack buffer overflow exists in ImageMagick's morphology kernel parsing functions. User-controlled kernel strings exceeding a buffer are copied into fixed-size stack buffers via memcpy without bounds checking, resulting in stack corruption. This vulnerability is fixed in 7.1.2-16 and 6.9.13-41. ### CVE-2026-33905 ImageMagick is free and open-source software used for editing and manipulating digital images. In versions below both 7.1.2-19 and 6.9.13-44, the -sample operation has an out of bounds read when an specific offset is set through the `sample:offset` define that could lead to an out of bounds read. This issue has been fixed in versions 6.9.13-44 and 7.1.2-19. ## Scanner integration / Интеграция со сканером This issue was generated from `niceos_cve_matches` after the SPEC/Forgejo evidence pass. After real creation, this script writes `forgejo_issue_open` rows into `niceos_cve_evidence` and marks the selected CVE rows as `issue_open`, so the next scanner/creator run does not duplicate the issue. ## Maintainer checklist - [ ] Verify whether each CVE applies to the NiceOS build. - [ ] Compare NVD data with upstream/vendor advisory. - [ ] Set final NiceOS status: `affected`, `fixed`, `not_affected`, `false_positive`, `deferred`, or `not_in_cloud_image`. - [ ] If affected, decide update/backport strategy according to package policy class. - [ ] Run package-class-specific build, upgrade and regression tests. - [ ] Add/update `niceos_cve_triage` entry. - [ ] Create `NICE-SA` advisory if a security update is shipped. ## Machine metadata ```json { "cves": [ "CVE-2025-53014", "CVE-2025-53015", "CVE-2025-53019", "CVE-2025-53101", "CVE-2025-55154", "CVE-2025-55212", "CVE-2025-55298", "CVE-2025-57803", "CVE-2025-57807", "CVE-2025-62171", "CVE-2025-66628", "CVE-2025-68618", "CVE-2025-69204", "CVE-2026-22770", "CVE-2026-23876", "CVE-2026-23952", "CVE-2026-24481", "CVE-2026-24485", "CVE-2026-25794", "CVE-2026-25795", "CVE-2026-25796", "CVE-2026-25798", "CVE-2026-25799", "CVE-2026-25897", "CVE-2026-25898", "CVE-2026-25965", "CVE-2026-25966", "CVE-2026-25967", "CVE-2026-25968", "CVE-2026-25969", "CVE-2026-25970", "CVE-2026-25971", "CVE-2026-25983", "CVE-2026-25985", "CVE-2026-25986", "CVE-2026-25987", "CVE-2026-25988", "CVE-2026-25989", "CVE-2026-26066", "CVE-2026-26283", "CVE-2026-26284", "CVE-2026-27798", "CVE-2026-28494", "CVE-2026-28691", "CVE-2026-28693", "CVE-2026-30883", "CVE-2026-30929", "CVE-2026-30931", "CVE-2026-32636", "CVE-2026-33900", "CVE-2026-33901", "CVE-2026-33905", "CVE-2026-33908" ], "fingerprint": "0ce812e5aa89087e601c", "generated_at": "2026-05-25T17:43:21Z", "match_ids": [ 978, 979, 980, 981, 984, 986, 987, 988, 989, 990, 993, 994, 996, 997, 999, 1000, 1001, 1003, 1007, 1008, 1009, 1011, 1012, 1013, 1014, 1015, 1016, 1017, 1018, 1019, 1020, 1021, 1023, 1024, 1025, 1026, 1027, 1028, 1029, 1030, 1031, 1033, 1036, 1042, 1044, 1045, 1046, 1047, 1053, 1057, 1058, 1060, 1061 ], "match_types": [ "cpe-range" ], "package": "ImageMagick", "prompt_version": "niceos_cve_issue_analysis_v2", "statuses": [ "needs_triage" ], "tool": "niceos_cve_create_issues.py", "tool_version": "2.0", "version": "7.1.1.47" } ```

sbelikov added the

labels

2026-05-25 20:43:22 +03:00