CVE-2026-25966 in ImageMagickinfo

Summary

by MITRE • 02/24/2026

ImageMagick is free and open-source software used for editing and manipulating digital images. The shipped "secure" security policy includes a rule intended to prevent reading/writing from standard streams. However, ImageMagick also supports fd: pseudo-filenames (e.g., fd:0, fd:1). Prior to versions 7.1.2-15 and 6.9.13-40, this path form is not blocked by the secure policy templates, and therefore bypasses the protection goal of "no stdin/stdout." Versions 7.1.2-15 and 6.9.13-40 contain a patch by including a change to the more secure policies by default. As a workaround, add the change to one's security policy manually.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 04/21/2026

CVE-2026-25966 represents a critical security vulnerability in ImageMagick that undermines the software's intended protection mechanisms for standard input and output streams. This vulnerability specifically targets the secure policy templates that are designed to prevent unauthorized access to stdin and stdout through file descriptor pseudo-names. The flaw exists in the handling of fd: pseudo-filenames such as fd:0 and fd:1 which allow direct access to standard streams despite being explicitly blocked by the secure policy. This bypass occurs because the security policy templates in versions prior to 7.1.2-15 and 6.9.13-40 fail to properly restrict these file descriptor references, creating a pathway for malicious actors to circumvent the intended security controls. The vulnerability falls under CWE-22, which describes improper limitation of a pathname to a restricted directory, and specifically relates to CWE-284, which addresses inadequate access control mechanisms. From an operational perspective, this vulnerability enables attackers to potentially read sensitive data from stdin or write malicious content to stdout, which could lead to information disclosure, privilege escalation, or arbitrary code execution in environments where ImageMagick processes untrusted image files. The ATT&CK framework categorizes this as a privilege escalation technique through process injection, as attackers can leverage the bypassed stdin/stdout access to manipulate application behavior. The vulnerability is particularly concerning in web applications and automated processing systems where ImageMagick is used to handle user-uploaded files, as it could allow remote attackers to execute commands or extract data from the processing environment. The fix implemented in versions 7.1.2-15 and 6.9.13-40 addresses this by updating the default security policies to explicitly block fd: pseudo-filenames, thereby restoring the intended protection against standard stream access. Organizations should immediately upgrade to these patched versions and manually review their existing security policies to ensure that fd: pseudo-filename restrictions are properly implemented. System administrators should also consider implementing additional monitoring for suspicious file descriptor access patterns and ensure that ImageMagick is not running with elevated privileges in production environments. The vulnerability demonstrates the importance of comprehensive security policy testing and the potential risks associated with pseudo-file mechanisms that can bypass traditional path validation controls.

Responsible

GitHub M

Reservation

02/09/2026

Disclosure

02/24/2026

Moderation

accepted

CPE

ready

EPSS

0.00135

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!