{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25985", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-09T17:41:55.857Z", "datePublished": "2026-02-24T01:43:07.076Z", "dateUpdated": "2026-02-24T01:43:07.076Z"}, "containers": {"cna": {"title": "Memory allocation with excessive without limits in the internal SVG decoder", "problemTypes": [{"descriptions": [{"cweId": "CWE-770", "lang": "en", "description": "CWE-770: Allocation of Resources Without Limits or Throttling", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-789", "lang": "en", "description": "CWE-789: Memory Allocation with Excessive Size Value", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-v7g2-m8c5-mf84", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-v7g2-m8c5-mf84"}], "affected": [{"vendor": "ImageMagick", "product": "ImageMagick", "versions": [{"version": ">= 7.0.0, < 7.1.2-15", "status": "affected"}, {"version": "< 6.9.13-40", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-24T01:43:07.076Z"}, "descriptions": [{"lang": "en", "value": "ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, a crafted SVG file containing an malicious element causes ImageMagick to attempt to allocate ~674 GB of memory, leading to an out-of-memory abort. Versions 7.1.2-15 and 6.9.13-40 contain a patch."}], "source": {"advisory": "GHSA-v7g2-m8c5-mf84", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, a crafted SVG file containing an malicious element causes ImageMagick to attempt to allocate ~674 GB of memory, leading to an out-of-memory abort. Versions 7.1.2-15 and 6.9.13-40 contain a patch."}], "id": "CVE-2026-25985", "lastModified": "2026-02-24T14:13:49.320", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "[email protected]", "type": "Secondary"}]}, "published": "2026-02-24T02:16:02.620", "references": [{"source": "[email protected]", "url": "https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-v7g2-m8c5-mf84"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Undergoing Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-770"}, {"lang": "en", "value": "CWE-789"}], "source": "[email protected]", "type": "Primary"}]}

{"bugzilla": {"description": "ImageMagick: Memory allocation with excessive without limits in the internal SVG decoder", "id": "2442127", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2442127"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-770", "details": ["A memory exhaustion vulnerability has been identified in ImageMagick when processing specially crafted SVG image files. In vulnerable versions, a maliciously crafted SVG element may trigger an excessively large internal memory allocation (on the order of hundreds of gigabytes), causing the ImageMagick process to consume all available memory and abort. An application that reads, identifies, or converts such an SVG image may be affected when the file is passed to ImageMagick\u2019s API or command-line tools."], "mitigation": {"lang": "en:us", "value": "To mitigate this vulnerability, avoid processing untrusted or unverified SVG image files with ImageMagick. When ImageMagick must process SVG files from untrusted sources, consider running the application in a sandboxed environment to limit potential resource exhaustion impacts."}, "name": "CVE-2026-25985", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "ImageMagick", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "ImageMagick", "product_name": "Red Hat Enterprise Linux 7"}], "public_date": "2026-02-24T01:43:07Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-25985\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-25985\nhttps://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-v7g2-m8c5-mf84"], "statement": "This issue is classified as High severity by Red Hat Product Security. A remote attacker can craft an SVG image that, when processed by ImageMagick, induces extremely large memory allocation requests, leading to process failure or termination. The attack complexity is low and does not require any privileges or user interaction. While confidentiality and integrity are not directly impacted, the availability of services that parse or manipulate untrusted SVG images could be significantly disrupted over network, justifying a High severity rating.\n```\nIt is important to note that ImageMagick has been removed from Red Hat Enterprise Linux 8 and later releases. Therefore, current supported RHEL 8 and newer systems are not affected by this issue unless ImageMagick is installed from third-party or custom repositories.\nFor additional information, refer to https://access.redhat.com/solutions/4437561.\n```", "threat_severity": "Important"}