ImageMagick has Use After Free in MSLStartElement in "coders/msl.c"

Vulnerability

Overview

ImageMagick versions prior to 7.1.2-15 and 6.9.13-40 contain a heap-use-after-free vulnerability triggered by a crafted MSL (Magick Scripting Language) script. The root cause is improper handling of the operation element: when a specific MSL script is parsed, the operation handler replaces and frees the image object, but the parser continues to reference the freed memory [2]. This leads to a use-after-free condition specifically in the ReadBlobString function during subsequent parsing [2].

Attack

Vector

An attacker can exploit this vulnerability by supplying a malicious MSL script to ImageMagick. Since ImageMagick is widely used to process user-uploaded images in web applications, graphic design tools, and scientific imaging pipelines, the attack surface includes any service that accepts and processes images [1]. No authentication is required if the application allows unauthenticated image uploads; exploitation can occur remotely by introducing the crafted MSL file [2].

Impact

Successful exploitation could lead to memory corruption, potentially allowing an attacker to read sensitive heap data or execute arbitrary code under the privileges of the ImageMagick process. Given ImageMagick's deployment in server-side environments, this could lead to compromise of the hosting server or disclosure of protected information [1].

Mitigation

The vulnerability is patched in ImageMagick versions 7.1.2-15 and 6.9.13-40 [2]. The fix ensures checks are performed before accessing the image, preventing the parser from reading freed memory [4]. Users should update to the patched versions and review security policies to restrict use of MSL or limit file processing to trusted sources [1].