Description
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, a crafted MSL script triggers a heap-use-after-free. The operation element handler replaces and frees the image while the parser continues reading from it, leading to a UAF in ReadBlobString during further parsing. Versions 7.1.2-15 and 6.9.13-40 contain a patch.
Published: 2026-02-24
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Memory Corruption
Action: Apply Patch
AI Analysis

Impact

A crafted Microsoft Scripting Language (MSL) file can trigger a heap-use-after-free in ImageMagick’s MSLStartElement handler. When the operation element replaces and frees an image, the parser continues to read from the released memory, causing a use-after-free during a subsequent ReadBlobString. This memory corruption vulnerability may lead to application crashes or, in a worst‑case scenario, arbitrary code execution if the corrupted state is exploitable. The weakness is identified as CWE-416 and CWE-825.

Affected Systems

ImageMagick versions prior to 7.1.2-15 and 6.9.13-40 are affected. The vulnerability resides in the core image processing library and applies to any deployment that processes MSL scripts, including web applications, content management systems, or other services that manipulate images with ImageMagick.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity, while the EPSS score of less than 1% shows a low probability of exploitation in the near term. The vulnerability is not listed in CISA’s KEV catalog. The likely attack vector is the injection of a malicious MSL script that an application processes during image handling, inferred from the description of the vulnerability. Consequently, systems that use ImageMagick for image processing should assess exposure, apply the recommended patch, and monitor for anomalous activity.

Generated by OpenCVE AI on April 17, 2026 at 15:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade ImageMagick to version 7.1.2-15 or later, or 6.9.13-40 or later, ensuring that the applied package includes the fix.
  • If an immediate upgrade is not possible, recompile or configure ImageMagick with MSL support disabled to prevent parsing of MSL scripts.
  • After applying the upgrade or disabling MSL, test image processing workflows for stability and monitor logs for unexpected crashes or abnormal memory usage.

Generated by OpenCVE AI on April 17, 2026 at 15:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4497-1 imagemagick security update
Debian DSA Debian DSA DSA-6158-1 imagemagick security update
Debian DSA Debian DSA DSA-6159-1 imagemagick security update
Github GHSA Github GHSA GHSA-fwqw-2x5x-w566 ImageMagick has Use After Free in MSLStartElement in "coders/msl.c"
Ubuntu USN Ubuntu USN USN-8069-1 ImageMagick vulnerabilities
History

Sat, 28 Feb 2026 03:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 25 Feb 2026 16:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:imagemagick:imagemagick:*:*:*:*:*:*:*:*

Tue, 24 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-825
References
Metrics threat_severity

None

 threat_severity

Moderate

Tue, 24 Feb 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Imagemagick
Imagemagick imagemagick
Vendors & Products Imagemagick
Imagemagick imagemagick

Tue, 24 Feb 2026 02:00:00 +0000

Type Values Removed Values Added
Description ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, a crafted MSL script triggers a heap-use-after-free. The operation element handler replaces and frees the image while the parser continues reading from it, leading to a UAF in ReadBlobString during further parsing. Versions 7.1.2-15 and 6.9.13-40 contain a patch.
Title ImageMagick has Use After Free in MSLStartElement in "coders/msl.c"
Weaknesses CWE-416
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

Subscriptions

Imagemagick Imagemagick
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-28T02:04:51.222Z

Reserved: 2026-02-09T17:41:55.857Z

Link: CVE-2026-25983

cve-icon Vulnrichment

Updated: 2026-02-28T02:04:45.793Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-24T02:16:02.463

Modified: 2026-02-25T15:53:20.203

Link: CVE-2026-25983

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-02-24T01:41:45Z

Links: CVE-2026-25983 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T16:00:11Z

Weaknesses