Description
ImageMagick is free and open-source software used for editing and manipulating digital images. Versions 14.10.1 and below have a NULL pointer dereference vulnerability in the MSL (Magick Scripting Language) parser when processing <comment> tags before images are loaded. This can lead to DoS attack due to assertion failure (debug builds) or NULL pointer dereference (release builds). This issue is fixed in version 14.10.2.
Published: 2026-01-22
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service via NULL pointer dereference
Action: Apply patch
AI Analysis

Impact

ImageMagick, a widely used open‑source image manipulation library, contains a NULL pointer dereference flaw in the Magick Scripting Language parser. The issue is triggered when a <comment> tag is parsed before an image is loaded, causing an assertion failure in debug builds or a NULL dereference in release builds. The resulting crash can interrupt services that rely on ImageMagick or its .NET bindings, effectively creating a denial‑of‑service vulnerability. The weakness is classified as CWE‑476 (NULL Pointer Dereference).

Affected Systems

Affected products include the ImageMagick software itself and the Magick.NET .NET wrapper. Versions 14.10.1 and earlier are vulnerable; the flaw is addressed in ImageMagick 14.10.2 and the corresponding Magick.NET 14.10.2 release. No other products or versions are identified in the current advisory.

Risk and Exploitability

The vulnerability received a CVSS score of 6.5, indicating moderate severity, while the EPSS score is below 1 %, pointing to a low exploitation probability. It is not listed in the CISA KEV catalog. Based on the description, it is inferred that the attacker would need to supply a crafted image file that contains a <comment> tag before the image data. This typically implies a local or privileged context unless the target application allows remote image uploads. Given the current metrics, the risk is moderate but still warrants timely mitigation.

Generated by OpenCVE AI on April 18, 2026 at 18:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade ImageMagick to version 14.10.2 or later.
  • Upgrade the Magick.NET .NET wrapper to version 14.10.2 or later.
  • If an upgrade is not immediately possible, sanitise incoming image files to remove or escape <comment> tags before processing with ImageMagick.

Generated by OpenCVE AI on April 18, 2026 at 18:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4448-1 imagemagick security update
Debian DSA Debian DSA DSA-6111-1 imagemagick security update
Github GHSA Github GHSA GHSA-5vx3-wx4q-6cj8 ImageMagick has a NULL pointer dereference in MSL parser via <comment> tag before image load
History

Fri, 27 Feb 2026 15:45:00 +0000

Type Values Removed Values Added
First Time appeared Dlemstra
Dlemstra magick.net
CPEs cpe:2.3:a:dlemstra:magick.net:*:*:*:*:*:*:*:*
cpe:2.3:a:imagemagick:imagemagick:*:*:*:*:*:*:*:*
Vendors & Products Dlemstra
Dlemstra magick.net

Fri, 23 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Imagemagick
Imagemagick imagemagick
Vendors & Products Imagemagick
Imagemagick imagemagick

Thu, 22 Jan 2026 23:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 22 Jan 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Thu, 22 Jan 2026 00:45:00 +0000

Type Values Removed Values Added
Description ImageMagick is free and open-source software used for editing and manipulating digital images. Versions 14.10.1 and below have a NULL pointer dereference vulnerability in the MSL (Magick Scripting Language) parser when processing <comment> tags before images are loaded. This can lead to DoS attack due to assertion failure (debug builds) or NULL pointer dereference (release builds). This issue is fixed in version 14.10.2.
Title ImageMagick has a NULL pointer dereference in MSL parser via <comment> tag before image load
Weaknesses CWE-476
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Dlemstra Magick.net
Imagemagick Imagemagick
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-22T21:43:42.939Z

Reserved: 2026-01-19T14:49:06.312Z

Link: CVE-2026-23952

cve-icon Vulnrichment

Updated: 2026-01-22T21:43:31.530Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-22T01:15:52.790

Modified: 2026-02-27T15:35:07.890

Link: CVE-2026-23952

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-01-22T00:32:52Z

Links: CVE-2026-23952 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T19:00:08Z

Weaknesses