Impact
ImageMagick allows a crafted Multi-Stop Language (MSL) image to trigger a heap-use-after-free during decoding. The resulting memory corruption can cause the ImageMagick process to crash or, if the memory is exploited maliciously, permit arbitrary code execution. This flaw arises from improper handling of memory after an object has been freed.
Affected Systems
ImageMagick versions older than 7.1.2.23 and 6.9.13-48 are affected. The vulnerability exists in the ImageMagick family of products where the vulnerable code is compiled.
Risk and Exploitability
The CVSS score of 6.2 indicates a medium severity. The EPSS score is less than 1%, implying a very low probability of exploitation in the near future. The flaw is not listed in CISA’s KEV catalog. The attack requires an ImageMagick instance to process a malicious MSL image, but the description does not specify whether exploitation can occur locally or remotely; the attacker must supply the crafted image to the vulnerable decoder.
OpenCVE Enrichment
Debian DLA
Debian DSA
Github GHSA