CVE-2026-25966: ImageMagick Security Policy Bypass via fd Handler

Thinking Process: 1. Analyze the Request: Task: Translate a Chinese vulnerability intelligence summary to English. Role: Professional translator specializing in cybersecurity. Constraint 1: Maintain all Markdown formatting intact. Constraint 2: Do not add any introductory or concluding remarks. Input: A Markdown snippet containing vulnerability details (Title, Severity, CVE ID, CVSS metrics, Affected/Fixed versions, Description, CWE). Observation: The input text is actually a mix of Chinese and English. Some fields (like "漏洞标题", "漏洞等级", "CVE ID", "CVSS v3 Base Metrics", "受影响的版本", "已修复的版本", "描述", "缺陷") are in Chinese, while the content within them is mostly English or mixed. The goal is to translate the Chinese parts into English while keeping the structure and existing English content consistent (or correcting it if it looks like a direct translation of a Chinese template). Specific Content Analysis: -> (or similar) -> -> -> (Keep as is) -> (Keep as is, translate labels if needed, but they are already English) -> -> -> Content within Description: -> -> -> -> (Or similar meaning: "The remediated policy will be enabled by default in the secure policy configuration.") -> 2. Drafting the Translation: -> -> -> -> -> (List items under CVSS are already English, keep them) -> -> -> (Description bullets) -> -> -> (Code block remains same) -> -> 3. Refining Terminology: "关键漏洞信息" -> "Critical Vulnerability Information" is standard. "漏洞标题" -> "Vulnerability Title". "漏洞等级" -> "Severity" or "Vulnerability Level". "Severity" is more common in CVE contexts. "受影响的版本" -> "Affected Versions". "已修复的版本" -> "Fixed Versions" or "Patched Versions". "Fixed Versions" is fine. "描述" -> "Description". "缺陷" -> "Weakness" (matches CWE context). "标准流" -> "standard streams" (stdin/stdout). "伪文件名" -> "pseudo-file names" or "pseudo filenames". "安全策略" -> "security policy". 4. Final Review against Constraints: Markdown intact? Yes. No intro/outro? Yes. Professional tone? Yes. 5. Final Polish: Ensure the code block inside the description is preserved exactly. Ensure the CVSS metrics list indentation is preserved. Self-Correction on Description Translation: "配置中默认的安全策略中包含一个规则，旨在防止读取/写入标准流。" Translation: "The default security policy in the configuration contains a rule intended to prevent reading from or writing to standard streams." "ImageMagick 同样支持伪文件名（如，fd:0，fd:1），这种形式的路径未被安全策略阻止，因此绕过了“禁止读取/写入标准流”的保护目标。" Translation: "ImageMagick also supports pseudo-file names (e.g., fd:0, fd:1). Paths of this form are not blocked by the security policy, thus bypassing the protection goal of 'prohibiting reading from or writing to standard streams'." "要解决此问题，请在安全策略中添加:" Translation: "To resolve this issue, add the following to the security policy:" "修复后的策略将在更安全的策略中作为默认设置启用。" Translation: "The fixed policy will be enabled as a default setting in the secure policy." (Or "The remediated policy will be enabled by default in the secure policy configuration.") Let's go with "The fixed policy will be enabled by default in the secure policy configuration." "缺陷" -> In CWE context, "Weakness" is the standard term. 6. Constructing Output: (Mental check of markdown) xml Wait, checking the original markdown indentation for CVSS metrics. Original: I need to preserve that indentation. Also, checking the Description bullets. Original: I need to preserve that structure. Let's assemble. One detail: "漏洞等级" -> "Severity" is good. "缺陷" -> "Weakness" is good for CWE. Ready to generate.cs Critical Vulnerability Information Vulnerability Title: Security Policy Bypass through config/policy-secure.xml via "fd handler" leads to stdin/stdout access Severity: Moderate (CVSS 3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) CVE ID: CVE-2026-25966 CVSS v3 Base Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Confidentiality: Low - Integrity: Low - Availability: Low Affected Versions: - < 7.1.2-15 - < 6.9.13-40 Fixed Versions: - 7.1.2-15 - 6.9.13-40 Description: - The default security policy in the configuration contains a rule intended to prevent reading from or writing to standard streams. - ImageMagick also supports pseudo-file names (e.g., fd:0, fd:1); paths of this form are not blocked by the security policy, thereby bypassing the protection goal of "prohibiting reading from or writing to standard streams". - To resolve this issue, add the following to the security policy: - The fixed policy will be enabled by default in the secure policy configuration. Weakness**: CWE-284

Goal Reached Thanks to every supporter — we hit 100%!

CVE-2026-25966: ImageMagick Security Policy Bypass via fd Handler

More from this source