CVE-2026-25982 Overview
A heap out-of-bounds read vulnerability has been discovered in ImageMagick, the widely-used open-source software for editing and manipulating digital images. The vulnerability exists in the coders/dcm.c module, which handles DICOM (Digital Imaging and Communications in Medicine) file processing. When processing DICOM files with a specific configuration, the decoder loop incorrectly reads bytes per iteration, causing the function to read past the end of the allocated buffer.
Critical Impact
This vulnerability can lead to Denial of Service through application crashes or Information Disclosure by leaking sensitive heap memory contents into processed images.
Affected Products
- ImageMagick versions prior to 7.1.2-15
- ImageMagick versions prior to 6.9.13-40
- Applications and services integrating vulnerable ImageMagick libraries for DICOM processing
Discovery Timeline
- 2026-02-24 - CVE-2026-25982 published to NVD
- 2026-02-25 - Last updated in NVD database
Technical Details for CVE-2026-25982
Vulnerability Analysis
This vulnerability is classified as CWE-125 (Out-of-bounds Read), a memory corruption flaw that occurs when the software reads data past the intended boundary of a buffer. In the context of ImageMagick's DICOM parser, the coders/dcm.c module fails to properly validate buffer boundaries during the decoding loop.
The vulnerability can be exploited remotely without authentication, as ImageMagick is commonly deployed in web applications and services that process user-uploaded images. An attacker can craft a malicious DICOM file that triggers the out-of-bounds read condition when processed by a vulnerable ImageMagick installation. The impact is twofold: the application may crash (Denial of Service), or sensitive heap memory contents may be inadvertently included in the output image (Information Disclosure).
Root Cause
The root cause lies in the DICOM decoder's byte reading logic within coders/dcm.c. When processing DICOM files with specific configurations, the decoder loop miscalculates the number of bytes to read per iteration. This miscalculation results in the function attempting to read beyond the allocated buffer boundaries, accessing adjacent heap memory that was not intended to be part of the image data.
Attack Vector
The attack vector is network-based, requiring no user interaction or special privileges. An attacker can exploit this vulnerability by:
- Crafting a malicious DICOM file with specific configuration parameters that trigger the vulnerable code path
- Uploading or sending the malicious file to a service that processes images using ImageMagick
- The vulnerable coders/dcm.c module processes the file and reads past buffer boundaries
- Depending on heap state, this results in either a crash or memory leakage into the output
The vulnerability is particularly concerning for healthcare applications and PACS (Picture Archiving and Communication System) environments where DICOM files are commonly processed, potentially exposing sensitive patient data or other heap-resident information.
Detection Methods for CVE-2026-25982
Indicators of Compromise
- Application crashes or segmentation faults when processing DICOM files
- Unexpected data or artifacts appearing in processed DICOM images
- Memory access violations logged in system or application logs
- Anomalous DICOM file uploads with unusual header configurations
Detection Strategies
- Monitor ImageMagick processes for abnormal termination signals (SIGSEGV, SIGABRT)
- Implement file integrity monitoring for DICOM files processed through ImageMagick pipelines
- Deploy application-level sandboxing to detect unauthorized memory access patterns
- Use AddressSanitizer (ASan) builds in development/testing environments to catch out-of-bounds reads
Monitoring Recommendations
- Enable verbose logging for ImageMagick DICOM processing operations
- Monitor system logs for repeated crashes of ImageMagick-dependent services
- Implement alerting on unusual DICOM file characteristics during upload validation
- Track memory usage patterns for services processing DICOM files
How to Mitigate CVE-2026-25982
Immediate Actions Required
- Upgrade ImageMagick to version 7.1.2-15 or later for the 7.x branch
- Upgrade ImageMagick to version 6.9.13-40 or later for the 6.x branch
- Temporarily disable DICOM file processing if immediate patching is not possible
- Implement input validation to reject or quarantine untrusted DICOM files
Patch Information
The ImageMagick maintainers have released patched versions that address this heap out-of-bounds read vulnerability. Users should upgrade to:
- ImageMagick 7.x: Version 7.1.2-15 or later
- ImageMagick 6.x: Version 6.9.13-40 or later
For detailed patch information, refer to the ImageMagick Security Advisory on GitHub.
Workarounds
- Disable DICOM format support by modifying ImageMagick's policy.xml configuration
- Implement strict file type validation before processing with ImageMagick
- Process untrusted DICOM files in isolated sandbox environments
- Use ImageMagick's resource limits to constrain memory operations
# Configuration example - Disable DICOM processing in policy.xml
# Add this policy to /etc/ImageMagick-7/policy.xml or equivalent location
<policy domain="coder" rights="none" pattern="DCM" />
<policy domain="coder" rights="none" pattern="DICOM" />
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
