Description
ImageMagick is free and open-source software used for editing and manipulating digital images. Versions prior to 7.1.2-13 have a stack overflow via infinite recursion in MSL (Magick Scripting Language) `<write>` command when writing to MSL format. Version 7.1.2-13 fixes the issue.
Published: 2026-01-20
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Apply Patch
AI Analysis

Impact

ImageMagick, a widely used open‑source image manipulation library, contains a stack overflow flaw in its Magick Scripting Language (MSL). The issue arises when the `<write>` command is invoked in MSL scripts that trigger infinite recursion. The resulting overflow can cause the process to crash or consume excessive stack memory, leading to a denial‑of‑service condition. This weakness is identified as CWE‑835, indicating uncontrolled recursion or iteration.

Affected Systems

The vulnerability affects all releases of ImageMagick prior to version 7.1.2‑13. Systems running any of those versions are susceptible when they process MSL scripts, particularly the `<write>` command. The fix was implemented in ImageMagick 7.1.2‑13, which terminates recursion safely. Users of earlier releases should verify their installed version and upgrade if necessary.

Risk and Exploitability

The CVSS v3.1 score for this flaw is 5.5, placing it in the moderate severity tier. The EPSS score is reported as less than 1 %, indicating a very low probability of exploitation at present. ImageMagick has not been listed in the CISA Known Exploited Vulnerabilities catalog, suggesting no confirmed active exploitation. The likely attack vector involves an attacker supplying a malicious MSL file or command to a system that processes images with ImageMagick; the recursion could be triggered locally or remotely, depending on how the library is invoked in the application stack.

Generated by OpenCVE AI on April 18, 2026 at 04:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update ImageMagick to version 7.1.2‑13 or later to receive the stack‑overflow fix.
  • If an upgrade is delayed, disable or restrict the `<write>` command in MSL scripts for untrusted users to prevent uncontrolled recursion.
  • Remove or disable MSL scripting language support entirely in environments where it is not required.

Generated by OpenCVE AI on April 18, 2026 at 04:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4448-1 imagemagick security update
Debian DSA Debian DSA DSA-6111-1 imagemagick security update
Github GHSA Github GHSA GHSA-9vj4-wc7r-p844 ImageMagick MSL: Stack overflow via infinite recursion in ProcessMSLScript
History

Thu, 29 Jan 2026 14:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:imagemagick:imagemagick:*:*:*:*:*:*:*:*

Tue, 20 Jan 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 20 Jan 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Tue, 20 Jan 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Imagemagick
Imagemagick imagemagick
Vendors & Products Imagemagick
Imagemagick imagemagick

Tue, 20 Jan 2026 01:15:00 +0000

Type Values Removed Values Added
Description ImageMagick is free and open-source software used for editing and manipulating digital images. Versions prior to 7.1.2-13 have a stack overflow via infinite recursion in MSL (Magick Scripting Language) `<write>` command when writing to MSL format. Version 7.1.2-13 fixes the issue.
Title ImageMagick's MSL: Stack overflow via infinite recursion in ProcessMSLScript
Weaknesses CWE-835
References
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Imagemagick Imagemagick
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-20T21:43:48.227Z

Reserved: 2026-01-16T21:02:02.900Z

Link: CVE-2026-23874

cve-icon Vulnrichment

Updated: 2026-01-20T21:40:47.893Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-20T01:15:57.300

Modified: 2026-01-29T13:57:07.867

Link: CVE-2026-23874

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-01-20T00:52:52Z

Links: CVE-2026-23874 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T05:00:06Z

Weaknesses