Bug 2442101 (CVE-2026-25988)

Summary: CVE-2026-25988 ImageMagick: ImageMagick: Denial of Service due to memory leak in image processing
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in ImageMagick. When processing certain images, the msl.c component fails to correctly update the stack index, causing an image to be stored in an incorrect memory location. This memory is then not properly freed, leading to memory leaks. A remote attacker could exploit this vulnerability by providing a specially crafted image, which can lead to a Denial of Service (DoS) condition.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2442189, 2442190    
Bug Blocks:    

Description OSIDB Bzimport 2026-02-24 02:01:40 UTC 
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, sometimes msl.c fails to update the stack index, so an image is stored in the wrong slot and never freed on error, causing leaks. Versions 7.1.2-15 and 6.9.13-40 contain a patch.