CVE-2026-25971 - Vulnerability Details

- ImageMagick's MSL: Stack overflow in ProcessMSLScript

Description

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, Magick fails to check for circular references between two MSLs, leading to a stack overflow. Versions 7.1.2-15 and 6.9.13-40 contain a patch.

Published: 2026-02-24

Score: 6.2 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

ImageMagick processes images that may contain scripts written in the proprietary MSL language. In versions prior to 7.1.2‑15 and 6.9.13‑40 the library does not detect circular references between two MSL files, which is an example of improper input validation (CWE‑606) that permits unchecked recursion (CWE‑674) and results in a stack buffer overflow (CWE‑787). When an attacker supplies a pair of scripts that reference each other, the recursive processing causes a stack overflow. The overflow corrupts stack memory and crashes the application, producing a denial of service. No confirmed exploitation that leads to code execution is described in the advisory.

Affected Systems

The vulnerability affects the ImageMagick image processing library. All releases before 7.1.2‑15 and before 6.9.13‑40 are vulnerable. The patch is included in 7.1.2‑15 and 6.9.13‑40.

Risk and Exploitability

The CVSS score of 6.2 indicates moderate severity. The EPSS score is reported as less than 1 %, implying a very low chance of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is the delivery of malicious MSL files to an ImageMagick instance that processes images, typically occurring when the software is exposed in a server or web service that accepts uploaded images. Because the flaw triggers a stack overflow, the primary risk is denial of service; the advisory does not confirm any further impact such as code execution.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

ImageMagick

affected

Version	Status	Constraints
`>= 7.0.0, < 7.1.2-15`	affected	—
`< 6.9.13-40`	affected	—

Configuration 1 [-]

OR	cpe:2.3:a:imagemagick:imagemagick::::::::
	cpe:2.3:a:imagemagick:imagemagick::::::::

No data.

Vendor Product Confidence Versions

Imagemagick

100%

Version	Status	Scheme	Platform
`[7.0.0,7.1.2-15)`	affected	semver	—
`[0,6.9.13-40)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade ImageMagick to 7.1.2‑15 or newer, or to 6.9.13‑40 or newer.
If upgrading immediately is not possible, disable MSL script support in the configuration so the vulnerable code path is not exercised.
Validate images before they reach ImageMagick, rejecting any content that contains MSL scripts or circular references to prevent the overflow.

Generated by OpenCVE AI on April 18, 2026 at 17:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DSA	DSA-6158-1	imagemagick security update
Github GHSA	GHSA-8mpr-6xr2-chhc	ImageMagick: MSL - Stack overflow in ProcessMSLScript

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00043.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-8mpr-6xr2-chhc
https://nvd.nist.gov/vuln/detail/CVE-2026-25971
https://www.cve.org/CVERecord?id=CVE-2026-25971

History

Wed, 25 Feb 2026 16:00:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-787
CPEs		cpe:2.3:a:imagemagick:imagemagick::::::::

Tue, 24 Feb 2026 12:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-606
References		https://nvd.nist.gov/vuln/detail/CVE-2026-25971 https://www.cve.org/CVERecord?id=CVE-2026-25971
Metrics	threat_severity `None`	threat_severity `Moderate`

Tue, 24 Feb 2026 10:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Imagemagick Imagemagick imagemagick
Vendors & Products		Imagemagick Imagemagick imagemagick

Tue, 24 Feb 2026 02:00:00 +0000

Type	Values Removed	Values Added
Description		ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, Magick fails to check for circular references between two MSLs, leading to a stack overflow. Versions 7.1.2-15 and 6.9.13-40 contain a patch.
Title		ImageMagick's MSL: Stack overflow in ProcessMSLScript
Weaknesses		CWE-674
References		https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-8mpr-6xr2-chhc
Metrics		cvssV3_1 `{'score': 6.2, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}`

Subscriptions

Imagemagick Imagemagick

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-02-24T01:39:21.685Z

Updated: 2026-02-26T21:33:39.136Z

Reserved: 2026-02-09T17:13:54.068Z

Link: CVE-2026-25971

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2026-02-24T02:16:02.130

Modified: 2026-02-25T15:53:26.643

Link: CVE-2026-25971

Redhat

Severity : Moderate

Publid Date: 2026-02-24T01:39:21Z

Links: CVE-2026-25971 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-18T18:00:06Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object