Bug 2442124 (CVE-2026-25982)

Summary: CVE-2026-25982 ImageMagick: ImageMagick: Denial of Service or Information Disclosure via heap out-of-bounds read in DICOM file processing
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in ImageMagick, a software suite for image manipulation. When processing specially crafted DICOM (Digital Imaging and Communications in Medicine) files, a vulnerability allows the software to read beyond its intended memory boundaries. This can lead to a Denial of Service, causing the application to crash, or to Information Disclosure, potentially revealing sensitive data from the system's memory.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2442197, 2442198    
Bug Blocks:    

Description OSIDB Bzimport 2026-02-24 02:03:01 UTC 
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, a heap out-of-bounds read vulnerability exists in the `coders/dcm.c` module. When processing DICOM files with a specific configuration, the decoder loop incorrectly reads bytes per iteration. This causes the function to read past the end of the allocated buffer, potentially leading to a Denial of Service (crash) or Information Disclosure (leaking heap memory into the image). Versions 7.1.2-15 and 6.9.13-40 contain a patch.