CVE-2026-25796

NameCVE-2026-25796
DescriptionImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, in `ReadSTEGANOImage()` (`coders/stegano.c`), the `watermark` Image object is not freed on three early-return paths, resulting in a definite memory leak (~13.5KB+ per invocation) that can be exploited for denial of service. Versions 7.1.2-15 and 6.9.13-40 contain a patch.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-4497-1, DSA-6158-1, DSA-6159-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
imagemagick (PTS)bullseye8:6.9.11.60+dfsg-1.3+deb11u4vulnerable
bullseye (security)8:6.9.11.60+dfsg-1.3+deb11u10fixed
bookworm8:6.9.11.60+dfsg-1.6+deb12u5vulnerable
bookworm (security)8:6.9.11.60+dfsg-1.6+deb12u7fixed
trixie8:7.1.1.43+dfsg1-1+deb13u5vulnerable
trixie (security)8:7.1.1.43+dfsg1-1+deb13u6fixed
forky8:7.1.2.15+dfsg1-2fixed
sid8:7.1.2.16+dfsg1-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
imagemagicksourcebullseye8:6.9.11.60+dfsg-1.3+deb11u10DLA-4497-1
imagemagicksourcebookworm8:6.9.11.60+dfsg-1.6+deb12u7DSA-6159-1
imagemagicksourcetrixie8:7.1.1.43+dfsg1-1+deb13u6DSA-6158-1
imagemagicksource(unstable)8:7.1.2.15+dfsg1-1

Notes

https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-g2pr-qxjg-7r2w
Fixed by: https://github.com/ImageMagick/ImageMagick/commit/93ad259ce4f6d641eea0bee73f374af90f35efc3 (7.1.2-14)
Fixed by: https://github.com/ImageMagick/ImageMagick6/commit/29aeed740553ed4e5c544e101ac468be55a919ff (6.9.13-39)
Followup: https://github.com/ImageMagick/ImageMagick6/commit/2024ae1d10a7481d04fb717b3fa9170fd294a8f3 (6.9.13-41)
Search for package or bug name: Reporting problems