ImageMagick, Use-After-Free, CVE-2026-25983 (Medium)

Listen to this Post

A heap-use-after-free vulnerability exists in ImageMagick when processing crafted MSL (Magick Scripting Language) scripts. The issue resides in the MSLStartElement function within the MSL decoder. When the parser encounters an `` element, the handler replaces the current image and frees the original image structure. However, the parser continues to read from the freed image, leading to a use-after-free condition in the `ReadBlobString` function during subsequent parsing operations. This occurs because the `operation` element handler replaces and frees an image while the parser continues reading from it, resulting in a use-after-free in `ReadBlobString` during further parsing. This vulnerability affects ImageMagick versions prior to 7.1.2-15 and 6.9.13-40. A remote attacker can exploit this vulnerability by providing a crafted MSL script that triggers the heap-use-after-free condition, potentially causing a denial of service through application crashes. The CVSS score is 5.3 (Medium) with availability impact only. The patch was released on February 24, 2026, the same day the CVE was published. This vulnerability is classified under CWE-416 (Use After Free). Learn more on MITRE.

dailycve form:

Platform: ImageMagick
Version: <7.1.2-15,<6.9.13-40
Vulnerability: heap-use-after-free
Severity: Medium
date: 2026-02-24

Prediction: Patch released same day

Analytics under What Undercode Say:

Check ImageMagick version
convert --version
Detect vulnerable version on Linux (Debian/Ubuntu)
dpkg -l imagemagick | grep -E "7.1.2-1[0-4]|6.9.13-[0-3][0-9]"
Detect vulnerable version on RHEL/CentOS/Fedora
rpm -q ImageMagick | grep -E "7.1.2-[0-9]{1,2}|6.9.13-[0-3][0-9]"
Example MSL script that may trigger the vulnerability (conceptual)
echo '<?xml version="1.0"?><image><read filename="input.png"/><operation><image><read filename="exploit.msl"/></image></operation></image>' > exploit.msl

Exploit:

A remote attacker can supply a maliciously crafted MSL script to an application using ImageMagick’s MSL decoder. The script triggers the use-after-free by causing the `operation` element handler to replace and free an image while the parser continues to read from the freed memory. This can lead to a crash (denial of service) and potentially arbitrary code execution, though no public exploit has been confirmed.

Protection from this CVE

  • Upgrade to ImageMagick version 7.1.2-15 or later (7.x branch) or 6.9.13-40 or later (6.9.x branch).
  • If immediate patching is not feasible, restrict network access to ImageMagick services and disable processing of MSL scripts where possible.
  • Implement input validation to reject untrusted or unexpected MSL scripts.
  • For systems using vulnerable versions, consider using security modules like AppArmor or SELinux to limit the impact of potential exploits.
  • Monitor for any exploitation attempts using intrusion detection systems (IDS) that can detect anomalous ImageMagick behavior.

Impact:

Successful exploitation can lead to a denial-of-service condition, causing the ImageMagick process to crash or behave unpredictably. The CVSS 3.1 vector string (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) indicates a medium severity, with no impact on confidentiality or integrity, but a low impact on availability. However, the NIST has assigned a critical CVSS score of 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) due to the potential for remote code execution, though this is contested. The primary risk is application instability and service disruption.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top