CVE-2026-25796
📋 TL;DR
This CVE describes a memory leak vulnerability in ImageMagick's STEGANO image decoder. When processing specially crafted steganographic images, the software fails to free allocated memory on certain error paths, causing gradual memory exhaustion. This affects any system using vulnerable ImageMagick versions to process untrusted images.
💻 Affected Systems
- ImageMagick
📦 What is this software?
Imagemagick by Imagemagick
Imagemagick by Imagemagick
⚠️ Risk & Real-World Impact
Worst Case
Repeated exploitation could lead to complete system memory exhaustion, causing denial of service and potentially crashing the application or entire system.
Likely Case
Gradual memory consumption leading to degraded performance and eventual application crashes when processing multiple malicious images.
If Mitigated
Minimal impact with proper memory monitoring and process isolation in place.
🎯 Exploit Status
Exploitation requires crafting malicious STEGANO images and repeated processing to cause noticeable impact.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 7.1.2-15 or 6.9.13-40
Vendor Advisory: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-g2pr-qxjg-7r2w
Restart Required: Yes
Instructions:
1. Check current ImageMagick version with 'convert --version'. 2. Update via package manager: 'sudo apt update && sudo apt upgrade imagemagick' (Debian/Ubuntu) or 'sudo yum update imagemagick' (RHEL/CentOS). 3. Restart any services using ImageMagick. 4. Verify with 'convert --version' to confirm version 7.1.2-15 or 6.9.13-40+.
🔧 Temporary Workarounds
Disable STEGANO format processing
linuxRemove STEGANO format from ImageMagick's policy.xml to prevent processing of vulnerable image type
sudo sed -i '/<policy domain="delegate" rights="none" pattern="STEGANO" \/>/d' /etc/ImageMagick-6/policy.xml
echo '<policy domain="delegate" rights="none" pattern="STEGANO" />' | sudo tee -a /etc/ImageMagick-6/policy.xml
🧯 If You Can't Patch
- Implement strict input validation to reject STEGANO format images
- Run ImageMagick in containerized environments with memory limits and automatic restart policies
🔍 How to Verify
Check if Vulnerable:
Run 'convert --version' and check if version is below 7.1.2-15 (for ImageMagick 7) or below 6.9.13-40 (for ImageMagick 6)Check Version:
convert --version | head -1Verify Fix Applied:
After patching, verify version is 7.1.2-15 or 6.9.13-40+ with 'convert --version'📡 Detection & Monitoring
Log Indicators:
- Repeated memory allocation failures
- Application crashes with out-of-memory errors
- High memory usage by ImageMagick processes
Network Indicators:
- Multiple STEGANO format image uploads to image processing endpoints
SIEM Query:
source="*imagemagick*" AND ("memory" OR "crash" OR "STEGANO")