ImageMagick's MSL: Stack overflow via infinite recursion in ProcessMSLScript

Vulnerability

Overview

CVE-2026-23874 describes a stack overflow vulnerability in ImageMagick, a widely used open-source image processing suite. The flaw resides in the MSL (Magick Scripting Language) parser, specifically within the ` command handler in coders/msl.c. When the command is used to output an image in MSL format, the function WriteMSLImage() is called, which in turn parses the MSL file again via ProcessMSLScript(). If the MSL file contains a self-referential or circular ` directive, this creates an infinite recursion loop, leading to stack exhaustion and a crash [1][2][3].

Exploitation and

Attack Surface

Exploitation requires the attacker to supply a crafted MSL file that triggers the recursive loop. The vulnerability can be triggered by using the magick MSL:recursive.msl out.png command or via fuzzing inputs. No authentication is required if the application processes user-supplied MSL files. The attack surface includes any service or application that uses ImageMagick to handle MSL input, such as web upload handlers, image conversion tools, or automation pipelines [3].

Impact

Successful exploitation results in a denial of service (DoS) due to stack overflow, causing the application to crash. The vulnerability does not appear to allow arbitrary code execution or data exfiltration based on available information. The crash is guaranteed when the recursive condition is met, as demonstrated by AddressSanitizer stack traces showing over 287 recursive frames [3].".

Mitigation

The issue is fixed in ImageMagick version 7.1.2-13 [2][3]. Users should upgrade to this version or later. For environments where immediate patching is not possible, administrators can implement security policies to restrict or disable MSL processing, or validate MSL files before processing. The vulnerability is also addressed in downstream libraries such as Magick.NET 14.10.2 [4].