ImageMagick, Uncontrolled Recursion, CVE-2026-25971 (Critical)

Listen to this Post

ImageMagick fails to check for circular references between two Magick Scripting Language (MSL) files . When a specially crafted MSL script is processed, specifically one that causes a file to reference itself or another file that references it back, the `ProcessMSLScript` function enters an infinite recursion loop . This causes the call stack to grow uncontrollably because the function continuously calls itself without an exit condition. The stack memory eventually overflows, leading to a crash (segmentation fault) and resulting in a Denial of Service (DoS) . The vulnerability lies in the XML parsing chain where `ProcessMSLScript` calls xmlParseChunk, which ultimately calls back into MSLStartElement, restarting the cycle [citation:].

dailycve form:

Platform: ImageMagick
Version: <7.1.2-15, <6.9.13-40
Vulnerability : Stack overflow via recursion
Severity: Critical (9.8 CVSS)
date: Feb 23, 2026

Prediction: Patched already

What Undercode Say:

Analytics:

  • CWE-674: Uncontrolled Recursion
  • Attack Vector: Network (Remote)
  • User Interaction: None required
  • Scope: Unchanged
  • Technical Impact: Denial of Service / Application Crash
  • Vulnerable Function: `ProcessMSLScript`

Bash Commands & Detection:

Check installed ImageMagick version
identify -version | grep Version
Check for vulnerable MSL handling (policy)
grep -r "msl" /etc/ImageMagick-/policy.xml
Debian/Ubuntu update command
sudo apt update && sudo apt install imagemagick
RHEL/CentOS/Fedora update
sudo dnf upgrade ImageMagick
Verify patch application (Version should be >= 7.1.2-15 or 6.9.13-40)
convert --version | grep -E "7.1.2-1[5-9]|6.9.13-(4[0-9]|5[0-9])"

Exploit:

  • Malicious MSL file referencing itself.
    <?xml version="1.0" encoding="UTF-8"?>
    <image>
    <read filename="circular.msl" />
    <write filename="output.png" />
    </image>
    

(Where `circular.msl` reads itself recursively).

Protection from this CVE:

  • Upgrade to version 7.1.2-15 or 6.9.13-40 immediately .
  • Disable MSL coders in policy.xml if not needed:
    <policy domain="coder" rights="none" pattern="MSL" />
    
  • Validate and sanitize all user-uploaded image files before processing.

Impact:

  • Complete denial of service for image processing services.
  • If combined with other memory corruption bugs, potential for arbitrary code execution (RCE) in worst-case scenarios .
  • Affects popular Linux distributions including Debian, Red Hat, and openEuler .

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top