Description
ImageMagick is free and open-source software used for editing and manipulating digital images. In versions below 7.1.2-19, an off by one error in the MSL decoder could result in a crash when a malicous MSL file is read. This issue has been fixed in version 7.1.2-19.
Published: 2026-04-13
Score: 6.2 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Apply Update
AI Analysis

Impact

The vulnerability is an off‑by‑one error in the MSL decoder of ImageMagick. When the library processes a malicious MSL file, a memory boundary is mis‑handled, which can cause the program to crash. The crash results in a denial of service for any process that uses ImageMagick to process images. This weakness is classified as CWE‑193.

Affected Systems

The flaw affects the ImageMagick library in all releases prior to 7.1.2‑19. Applications or services that rely on these older versions to load or transform images are susceptible. The fix is available in version 7.1.2‑19 and later, and for the .NET binding Magick.NET the corresponding update is 14.12.0.

Risk and Exploitability

The CVSS score of 6.2 indicates a moderate severity. No exploitation probability score is provided, and the vulnerability is not listed in CISA’s KEV catalog. The likely attack vector is local or remote delivery of a crafted MSL image to an ImageMagick‑based service; an adversary could trigger the crash and force the target application to terminate or restart, causing a denial of service. Because the issue is triggered by image processing, any path that accepts untrusted images could be abused.

Generated by OpenCVE AI on April 13, 2026 at 23:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade ImageMagick to 7.1.2‑19 or later.
  • If using Magick.NET, upgrade to 14.12.0 or later.

Generated by OpenCVE AI on April 13, 2026 at 23:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-5xg3-585r-9jh5 ImageMagick has an off-by-one error in MSL decoder could result in crash
History

Tue, 14 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Imagemagick
Imagemagick imagemagick
Vendors & Products Imagemagick
Imagemagick imagemagick

Tue, 14 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Mon, 13 Apr 2026 22:00:00 +0000

Type Values Removed Values Added
Description ImageMagick is free and open-source software used for editing and manipulating digital images. In versions below 7.1.2-19, an off by one error in the MSL decoder could result in a crash when a malicous MSL file is read. This issue has been fixed in version 7.1.2-19.
Title ImageMagick: Off-by-One in MSL decoder could result in crash
Weaknesses CWE-193
References
Metrics cvssV3_1

{'score': 6.2, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Imagemagick Imagemagick
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-14T19:27:39.053Z

Reserved: 2026-04-10T21:41:54.505Z

Link: CVE-2026-40312

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-13T22:16:30.113

Modified: 2026-04-13T22:16:30.113

Link: CVE-2026-40312

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-13T21:43:28Z

Links: CVE-2026-40312 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:32:56Z

Weaknesses