ImageMagick < 6.9.13-40 / 7.x < 7.1.2-15 Multiple Vulnerabilities

critical Nessus Plugin ID 300075

Synopsis

The remote host has an application installed that is affected by multiple vulnerabilities.

Description

The remote host has a version of ImageMagick installed that is prior to 6.9.13-40 or 7.1.2-15. It is, therefore, affected by multiple vulnerabilities as referenced in multiple GitHub Security Advisories.

- A heap-based buffer overflow vulnerability exists in the SUN image decoder. When processing a specially crafted SUN image file, a signed integer overflow can occur in the ReadSUNImage function during the calculation of the memory size for sun_pixels. On 32-bit systems and builds, the addition of pixels_length and image->rows can wrap around, leading to the allocation of a buffer significantly smaller than required. Subsequent decoding operations then write pixel data past the end of this allocated buffer, resulting in a heap-based buffer overflow. This can be exploited to cause a crash (DoS) or potentially lead to memory corruption. (CVE-2026-25897)

- A path traversal vulnerability exists in ImageMagick's core security policy engine. The security engine evaluates the raw filename string (the input provided by the user) before the operating system resolves the final path. Consequently, a policy intended to block access to /etc/* can be bypassed using standard path traversal techniques (e.g., images/../../etc/passwd). The policy matcher only sees the unnormalized path and allows it, but the OS resolves the dots and opens the sensitive file. This effectively nullifies security configurations like policy-secure.xml. (CVE-2026-25965)

- A heap-based buffer overflow vulnerability exists in the WriteUHDRImage function which uses 32-bit int arithmetic to calculate the size of the required pixel buffer. When processing images with extremely large dimensions, the multiplication operation overflows. This results in an undersized heap allocation. Subsequent writing of image data into this too-small buffer leads to an out-of-bounds write. While primarily a crash risk (DoS), memory corruption of this type can, in specific environments, be leveraged for remote code execution. (CVE-2026-25794)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Upgrade to ImageMagick version 6.9.13-40 / 7.1.2-15 or later.

Plugin Details

Severity: Critical

ID: 300075

File Name: imagemagick_7_1_2_15.nasl

Version: 1.1

Type: local

Agent: windows, macosx, unix

Family: Misc.

Published: 2/27/2026

Updated: 2/27/2026

Configuration: Enable thorough checks (optional)

Supported Sensors: Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: Critical

Base Score: 10

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2026-25897

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Vulnerability Information

CPE: cpe:/a:imagemagick:imagemagick

Required KB Items: installed_sw/ImageMagick

Patch Publication Date: 2/26/2026

Vulnerability Publication Date: 2/26/2026

Reference Information

CVE: CVE-2026-24481, CVE-2026-24484, CVE-2026-24485, CVE-2026-25576, CVE-2026-25637, CVE-2026-25638, CVE-2026-25794, CVE-2026-25795, CVE-2026-25796, CVE-2026-25897, CVE-2026-25898, CVE-2026-25965, CVE-2026-25966, CVE-2026-25967, CVE-2026-25969, CVE-2026-25983, CVE-2026-25985, CVE-2026-25987, CVE-2026-25989, CVE-2026-26066, CVE-2026-26283, CVE-2026-26983

Detections

Analytics