CVE-2026-28687 - Vulnerability Details

- ImageMagick has a Heap Use-After-Free in ImageMagick MSL decoder

Description

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-16 and 6.9.13-41, a heap use-after-free vulnerability in ImageMagick's MSL decoder allows an attacker to trigger access to freed memory by crafting an MSL file. This vulnerability is fixed in 7.1.2-16 and 6.9.13-41.

Published: 2026-03-09

Score: 5.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability is a heap use‑after‑free in ImageMagick’s MSL decoder. By crafting a malicious MSL file, an attacker can trigger access to freed memory, potentially causing a crash or unexpected application behavior. The core weakness is captured by CWE‑416 and CWE‑825, and may lead to denial of service or, in some exploitation scenarios, remote code execution if the freed memory can be overwritten.

Affected Systems

All ImageMagick releases older than 7.1.2‑16 and 6.9.13‑41 are affected. Systems that still run those legacy versions need to update to the patched releases to eliminate the flaw.

Risk and Exploitability

The CVSS base score of 5.3 indicates moderate severity. The EPSS score is reported as less than 1 %, meaning exploitation likelihood is low but not impossible. The vulnerability is not listed in the CISA KEV catalog, so no large‑scale attacks have been documented. The attack vector appears to be local file processing; an attacker must supply a crafted MSL image to the vulnerable ImageMagick instance, and no explicit authentication is required by the description.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

ImageMagick

affected

Version	Status	Constraints
`>= 7.0.0, < 7.1.2-16`	affected	—
`< 6.9.13-41`	affected	—

Configuration 1 [-]

OR	cpe:2.3:a:imagemagick:imagemagick::::::::
	cpe:2.3:a:imagemagick:imagemagick::::::::

No data.

Vendor Product Confidence Versions

Imagemagick

100%

Version	Status	Scheme	Platform
`[7.0.0,7.1.2-16)`	affected	semver	—
`[0,6.9.13-41)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade ImageMagick to version 7.1.2‑16 or later, or 6.9.13‑41 or later.
If an upgrade is not immediately possible, disable processing of MSL files or restrict access to the functionality that parses MSL images.
Apply vendor security advisories and monitor the ImageMagick project for subsequent patches or additional mitigations.

Generated by OpenCVE AI on April 16, 2026 at 10:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DLA	DLA-4539-1	imagemagick security update
Debian DSA	DSA-6169-1	imagemagick security update
Debian DSA	DSA-6210-1	imagemagick security update
Github GHSA	GHSA-fpvf-frm6-625q	ImageMagick has Heap Use-After-Free in ImageMagick MSL decoder

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00059.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-fpvf-frm6-625q
https://nvd.nist.gov/vuln/detail/CVE-2026-28687
https://www.cve.org/CVERecord?id=CVE-2026-28687

History

Thu, 12 Mar 2026 15:15:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:imagemagick:imagemagick::::::::

Wed, 11 Mar 2026 12:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-825
References		https://nvd.nist.gov/vuln/detail/CVE-2026-28687 https://www.cve.org/CVERecord?id=CVE-2026-28687
Metrics	threat_severity `None`	threat_severity `Moderate`

Tue, 10 Mar 2026 17:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 10 Mar 2026 14:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Imagemagick Imagemagick imagemagick
Vendors & Products		Imagemagick Imagemagick imagemagick

Mon, 09 Mar 2026 22:00:00 +0000

Type	Values Removed	Values Added
Description		ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-16 and 6.9.13-41, a heap use-after-free vulnerability in ImageMagick's MSL decoder allows an attacker to trigger access to freed memory by crafting an MSL file. This vulnerability is fixed in 7.1.2-16 and 6.9.13-41.
Title		ImageMagick has a Heap Use-After-Free in ImageMagick MSL decoder
Weaknesses		CWE-416
References		https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-fpvf-frm6-625q
Metrics		cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}`

Subscriptions

Imagemagick Imagemagick

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-03-09T21:37:24.006Z

Updated: 2026-03-10T16:01:57.138Z

Reserved: 2026-03-02T21:43:19.927Z

Link: CVE-2026-28687

Vulnrichment

Updated: 2026-03-10T16:01:53.982Z

NVD

Status : Analyzed

Published: 2026-03-10T07:43:43.660

Modified: 2026-03-12T15:09:43.583

Link: CVE-2026-28687

Redhat

Severity : Moderate

Publid Date: 2026-03-09T21:37:24Z

Links: CVE-2026-28687 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-16T10:15:26Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object