CVE-2026-25967
📋 TL;DR
This vulnerability is a stack-based buffer overflow in ImageMagick's FTXT image reader, allowing crafted FTXT files to cause out-of-bounds writes on the stack, potentially leading to crashes or arbitrary code execution. It affects users of ImageMagick versions prior to 7.1.2-15 who process untrusted FTXT files. The risk is highest for applications that accept user-uploaded images or process external data.
💻 Affected Systems
- ImageMagick
📦 What is this software?
Imagemagick by Imagemagick
Imagemagick by Imagemagick
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution (RCE) leading to full system compromise, data theft, or malware deployment.
Likely Case
Application crash (denial of service) due to memory corruption, potentially disrupting services that rely on image processing.
If Mitigated
Limited impact with proper input validation and sandboxing, such as crashes contained within isolated environments.
🎯 Exploit Status
Exploitation requires crafting a malicious FTXT file; no public proof-of-concept is known, but buffer overflows can be leveraged for RCE with sufficient skill.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 7.1.2-15
Vendor Advisory: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-72hf-fj62-w6j4
Restart Required: No
Instructions:
1. Update ImageMagick to version 7.1.2-15 or later using your package manager (e.g., 'sudo apt update && sudo apt upgrade imagemagick' on Debian/Ubuntu). 2. Verify the update with 'convert --version'. 3. No restart is needed, but restart services using ImageMagick to ensure they use the patched version.
🔧 Temporary Workarounds
Disable FTXT support
allRemove or disable the FTXT image format in ImageMagick configuration to prevent processing of vulnerable files.
Edit policy.xml (e.g., /etc/ImageMagick-7/policy.xml) and add: <policy domain="coder" rights="none" pattern="FTXT" />
Restart any services using ImageMagick.
🧯 If You Can't Patch
- Implement strict input validation to reject or sanitize FTXT files before processing.
- Run ImageMagick in a sandboxed or containerized environment to limit potential damage from exploitation.
🔍 How to Verify
Check if Vulnerable:
Check ImageMagick version with 'convert --version' or 'magick --version'; if version is earlier than 7.1.2-15, it is vulnerable.Check Version:
convert --version | head -1Verify Fix Applied:
After patching, confirm version is 7.1.2-15 or later using 'convert --version' and test processing a safe FTXT file to ensure no crashes.📡 Detection & Monitoring
Log Indicators:
- Log entries indicating ImageMagick crashes or segmentation faults when processing FTXT files.
- Error messages related to buffer overflows or memory corruption in application logs.
Network Indicators:
- Unusual uploads of FTXT files to web applications or services.
- Network traffic spikes associated with image processing endpoints.
SIEM Query:
Example for Splunk: 'index=app_logs source="*imagemagick*" ("segmentation fault" OR "buffer overflow" OR "FTXT")'