CVE-2026-25799: ImageMagick has Division-by-Zero in YUV sampling factor validation, which leads to crash
A logic error in YUV sampling factor validation allows an invalid sampling factor to bypass checks and trigger a division-by-zero during image loading, resulting in a reliable denial-of-service.
coders/yuv.c:210:47: runtime error: division by zero
AddressSanitizer:DEADLYSIGNAL
=================================================================
==3543373==ERROR: AddressSanitizer: UNKNOWN SIGNAL on unknown address 0x000000000000 (pc 0x55deeb4d723c bp 0x7fffc28d34d0 sp 0x7fffc28d3320 T0)
References
- github.com/ImageMagick/ImageMagick
- github.com/ImageMagick/ImageMagick/commit/49000e7298fbfdd759ac2c46f740f40c2e9b7452
- github.com/ImageMagick/ImageMagick/security/advisories/GHSA-543g-8grm-9cw6
- github.com/advisories/GHSA-543g-8grm-9cw6
- github.com/dlemstra/Magick.NET/releases/tag/14.10.3
- nvd.nist.gov/vuln/detail/CVE-2026-25799
Code Behaviors & Features
Detect and mitigate CVE-2026-25799 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →