Description
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2.23 and 6.9.13-48, a crafted MSL image can trigger a heap-use-after-free. Versions 7.1.2.23 and 6.9.13-48 fix the issue.
Published: 2026-06-10
Score: 6.2 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

ImageMagick allows a crafted MSL image to trigger a heap-use-after-free during decoding. The resulting memory corruption can cause the ImageMagick process to crash or, if the memory is used maliciously, permit arbitrary code execution. This flaw arises from improper handling of memory after an object has been freed.

Affected Systems

ImageMagick versions older than 7.1.2.23 and 6.9.13-48 are affected. The vulnerability is present in the ImageMagick family of products across all operating systems where the vulnerable code is compiled.

Risk and Exploitability

The CVSS score of 6.2 indicates a medium severity. No EPSS data is available, and the flaw is not listed in CISA’s KEV catalog. Exploitation requires delivery of a malicious MSL image to an ImageMagick instance that processes untrusted input, either locally or remotely if the ImageMagick library is exposed through a web service or other interface.

Generated by OpenCVE AI on June 10, 2026 at 22:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade ImageMagick to version 7.1.2.23 or later, or to 6.9.13-48 or later, to apply the official fix
  • If a newer version cannot be deployed immediately, disable or remove the MSL decoder to prevent processing of MSL images
  • Restrict ImageMagick usage to the least privileged user and validate or sanitize all images before processing

Generated by OpenCVE AI on June 10, 2026 at 22:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4609-1 imagemagick security update
Debian DSA Debian DSA DSA-6298-1 imagemagick security update
Debian DSA Debian DSA DSA-6310-1 imagemagick security update
Github GHSA Github GHSA GHSA-5r4x-w6p5-222q ImageMagick: Use-After-Free in MSL decoder.
History

Wed, 10 Jun 2026 22:45:00 +0000

Type Values Removed Values Added
First Time appeared Imagemagick
Imagemagick imagemagick
Vendors & Products Imagemagick
Imagemagick imagemagick

Wed, 10 Jun 2026 21:45:00 +0000

Type Values Removed Values Added
Description ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2.23 and 6.9.13-48, a crafted MSL image can trigger a heap-use-after-free. Versions 7.1.2.23 and 6.9.13-48 fix the issue.
Title ImageMagick: Use-After-Free in MSL decoder.
Weaknesses CWE-416
References
Metrics cvssV3_1

{'score': 6.2, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Imagemagick Imagemagick
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-10T21:43:42.309Z

Reserved: 2026-05-14T19:12:32.755Z

Link: CVE-2026-46523

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-10T22:16:59.480

Modified: 2026-06-10T22:16:59.480

Link: CVE-2026-46523

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T22:30:22Z

Weaknesses