CVE-2026-25898: ImageMagick has Global Buffer Overflow (OOB Read) via Negative Pixel Index in UIL and XPM Writer
The UIL and XPM image encoder do not validate the pixel index value returned by GetPixelIndex() before using it as an array subscript. In HDRI builds, Quantum is a floating-point type, so pixel index values can be negative. An attacker can craft an image with negative pixel index values to trigger a global buffer overflow read during conversion, leading to information disclosure or a process crash.
READ of size 1 at 0x55a8823a776e thread T0
References
- github.com/ImageMagick/ImageMagick
- github.com/ImageMagick/ImageMagick/commit/c9c87dbaba56bf82aebd3392e11f0ffd93709b12
- github.com/ImageMagick/ImageMagick/security/advisories/GHSA-vpxv-r9pg-7gpr
- github.com/advisories/GHSA-vpxv-r9pg-7gpr
- github.com/dlemstra/Magick.NET/releases/tag/14.10.3
- nvd.nist.gov/vuln/detail/CVE-2026-25898
Code Behaviors & Features
Detect and mitigate CVE-2026-25898 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →