ImageMagick's MSL image stack index not refreshed, leading to leaked images.
Description
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, sometimes msl.c fails to update the stack index, so an image is stored in the wrong slot and never freed on error, causing leaks. Versions 7.1.2-15 and 6.9.13-40 contain a patch.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
ImageMagick memory leak in MSL parsing: incorrect stack index causes image objects to never be freed, leading to memory leaks. Patched in versions 7.1.2-15 and 6.9.13-40.
In ImageMagick, the MSL (Magick Scripting Language) parser in msl.c manages an image stack. Due to a flaw in the stack index management, the index is not properly updated after certain operations, causing a new image to be stored in an incorrect slot. When an error occurs, the image pointer is lost and never freed, resulting in a memory leak [2][4].
Exploitation requires processing a specially crafted MSL file that triggers the error condition. The attacker does not need authentication if the target system processes untrusted image files; the vulnerability is remotely exploitable when ImageMagick is used in web applications or services that handle user-supplied images. Attack complexity is low, though user interaction may be needed to load the file [4].
The primary impact is a denial of service due to memory exhaustion from repeated leaks. While memory leaks alone typically do not lead to code execution, they can degrade system performance and potentially contribute to more severe attacks if combined with other vulnerabilities [4].
The issue is fixed in ImageMagick versions 7.1.2-15 and 6.9.13-40 [2][4]. Users should upgrade to these versions or apply the patch from the repository. As a workaround, administrators can restrict processing of untrusted MSL files or enforce resource limits via security policy.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
Magick.NET-Q16-AnyCPUNuGet | < 14.10.3 | 14.10.3 |
Magick.NET-Q16-HDRI-AnyCPUNuGet | < 14.10.3 | 14.10.3 |
Magick.NET-Q16-HDRI-OpenMP-arm64NuGet | < 14.10.3 | 14.10.3 |
Magick.NET-Q16-HDRI-OpenMP-x64NuGet | < 14.10.3 | 14.10.3 |
Magick.NET-Q16-HDRI-arm64NuGet | < 14.10.3 | 14.10.3 |
Magick.NET-Q16-HDRI-x64NuGet | < 14.10.3 | 14.10.3 |
Magick.NET-Q16-HDRI-x86NuGet | < 14.10.3 | 14.10.3 |
Magick.NET-Q16-OpenMP-arm64NuGet | < 14.10.3 | 14.10.3 |
Magick.NET-Q16-OpenMP-x64NuGet | < 14.10.3 | 14.10.3 |
Magick.NET-Q16-OpenMP-x86NuGet | < 14.10.3 | 14.10.3 |
Magick.NET-Q16-arm64NuGet | < 14.10.3 | 14.10.3 |
Magick.NET-Q16-x64NuGet | < 14.10.3 | 14.10.3 |
Magick.NET-Q16-x86NuGet | < 14.10.3 | 14.10.3 |
Magick.NET-Q8-AnyCPUNuGet | < 14.10.3 | 14.10.3 |
Magick.NET-Q8-OpenMP-arm64NuGet | < 14.10.3 | 14.10.3 |
Magick.NET-Q8-OpenMP-x64NuGet | < 14.10.3 | 14.10.3 |
Magick.NET-Q8-arm64NuGet | < 14.10.3 | 14.10.3 |
Magick.NET-Q8-x86NuGet | < 14.10.3 | 14.10.3 |
Affected products
2<7.1.2-15, <6.9.13-40+ 1 more
- (no CPE)range: <7.1.2-15, <6.9.13-40
- (no CPE)range: >= 7.0.0, < 7.1.2-15
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-782x-jh29-9mf7ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-25988ghsaADVISORY
- github.com/ImageMagick/ImageMagick/commit/4354fc1d554ec2e6314aed13536efa7bde9593d2ghsaWEB
- github.com/ImageMagick/ImageMagick/security/advisories/GHSA-782x-jh29-9mf7ghsax_refsource_CONFIRMWEB
- github.com/dlemstra/Magick.NET/releases/tag/14.10.3ghsaWEB
News mentions
0No linked articles in our index yet.