CVE-2026-25798: ImageMagick has NULL Pointer Dereference in ClonePixelCacheRepository via crafted image
A NULL pointer dereference in ClonePixelCacheRepository allows a remote attacker to crash any application linked against ImageMagick by supplying a crafted image file, resulting in Denial of Service.
AddressSanitizer:DEADLYSIGNAL
=================================================================
==3704942==ERROR: AddressSanitizer: UNKNOWN SIGNAL on unknown address 0x000000000000 (pc 0x7f9d141239e0 bp 0x7ffd4c5711e0 sp 0x7ffd4c571148 T0)
References
- github.com/ImageMagick/ImageMagick
- github.com/ImageMagick/ImageMagick/commit/e046417675d5c26e5f48816851a406c121c77469
- github.com/ImageMagick/ImageMagick/issues/8567
- github.com/ImageMagick/ImageMagick/security/advisories/GHSA-p863-5fgm-rgq4
- github.com/advisories/GHSA-p863-5fgm-rgq4
- github.com/dlemstra/Magick.NET/releases/tag/14.10.3
- nvd.nist.gov/vuln/detail/CVE-2026-25798
Code Behaviors & Features
Detect and mitigate CVE-2026-25798 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →