CVE-2026-25795: ImageMagick has NULL pointer dereference in ReadSFWImage after DestroyImageInfo (sfw.c)
In ReadSFWImage() (coders/sfw.c), when temporary file creation fails, read_info is destroyed before its filename member is accessed, causing a NULL pointer dereference and crash.
AddressSanitizer:DEADLYSIGNAL
=================================================================
==1414421==ERROR: AddressSanitizer: UNKNOWN SIGNAL on unknown address 0x000000000000 (pc 0x56260222912f bp 0x7ffec0a193b0 sp 0x7ffec0a19360 T0)
References
- github.com/ImageMagick/ImageMagick
- github.com/ImageMagick/ImageMagick/commit/332c1566acc2de77857032d3c2504ead6210ff50
- github.com/ImageMagick/ImageMagick/commit/55c344f4b514213642da41194bab57b4476fb9f5
- github.com/ImageMagick/ImageMagick/security/advisories/GHSA-p33r-fqw2-rqmm
- github.com/advisories/GHSA-p33r-fqw2-rqmm
- github.com/dlemstra/Magick.NET/releases/tag/14.10.3
- nvd.nist.gov/vuln/detail/CVE-2026-25795
Code Behaviors & Features
Detect and mitigate CVE-2026-25795 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →