Bug 2442127 (CVE-2026-25985)

Summary: CVE-2026-25985 ImageMagick: Memory allocation with excessive without limits in the internal SVG decoder
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A memory exhaustion vulnerability has been identified in ImageMagick when processing specially crafted SVG image files. In vulnerable versions, a maliciously crafted SVG element may trigger an excessively large internal memory allocation (on the order of hundreds of gigabytes), causing the ImageMagick process to consume all available memory and abort. An application that reads, identifies, or converts such an SVG image may be affected when the file is passed to ImageMagick’s API or command-line tools.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2442239, 2442240    
Bug Blocks:    

Description OSIDB Bzimport 2026-02-24 02:03:10 UTC 
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, a crafted SVG file containing an malicious element causes ImageMagick to attempt to allocate ~674 GB of memory, leading to an out-of-memory abort. Versions 7.1.2-15 and 6.9.13-40 contain a patch.