VYPR
← All advisories
Moderate severityNVD Advisory· Published Feb 24, 2026· Updated Feb 28, 2026

ImageMagick: Invalid MSL <map> can result in a use after free

CVE-2026-26983

Description

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, the MSL interpreter crashes when processing a invalid `` element that causes it to use an image after it has been freed. Versions 7.1.2-15 and 6.9.13-40 contain a patch.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A use-after-free vulnerability in ImageMagick's MSL interpreter, triggered by an invalid element, can lead to a crash or potential code execution.

Vulnerability

Overview

A use-after-free vulnerability exists in the MSL interpreter of ImageMagick, a widely used open-source image processing suite. The bug occurs when the interpreter processes a specially crafted, invalid `` element, causing it to access an image object after it has already been freed from memory [1][2]. This flaw affects all versions prior to 7.1.2-15 and 6.9.13-40 [2].

Exploitation and

Attack Surface

An attacker can exploit this vulnerability by supplying a malicious MSL file that contains an invalid `` element. The attack does not require authentication, as ImageMagick is often used in server-side processing pipelines that accept user-uploaded images [1]. The MSL interpreter's handling of the malformed element triggers the use-after-free condition, which can be leveraged to corrupt memory [4].

Impact

Successful exploitation could lead to a denial of service (crash) or, in more severe scenarios, arbitrary code execution in the context of the ImageMagick process. The CVSS vector indicates a high severity, with potential impacts on confidentiality, integrity, and availability [4].

Mitigation

The vulnerability has been patched in ImageMagick versions 7.1.2-15 and 6.9.13-40 [2]. Users are strongly advised to update to these or later versions. As a workaround, administrators can restrict the use of the MSL format through a security policy, though updating is the recommended course of action [1][4].

References
  1. GitHub - ImageMagick/ImageMagick: ImageMagick is a free, open-source software suite for creating, editing, converting, and displaying images. It supports 200+ formats and offers powerful command-line tools and APIs for automation, scripting, and integration across platforms.
  2. NVD - CVE-2026-26983
  3. Invalid MSL <map> can result in a use after free

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
Magick.NET-Q16-AnyCPUNuGet
< 14.10.314.10.3
Magick.NET-Q16-HDRI-AnyCPUNuGet
< 14.10.314.10.3
Magick.NET-Q16-HDRI-OpenMP-arm64NuGet
< 14.10.314.10.3
Magick.NET-Q16-HDRI-OpenMP-x64NuGet
< 14.10.314.10.3
Magick.NET-Q16-HDRI-arm64NuGet
< 14.10.314.10.3
Magick.NET-Q16-HDRI-x64NuGet
< 14.10.314.10.3
Magick.NET-Q16-HDRI-x86NuGet
< 14.10.314.10.3
Magick.NET-Q16-OpenMP-arm64NuGet
< 14.10.314.10.3
Magick.NET-Q16-OpenMP-x64NuGet
< 14.10.314.10.3
Magick.NET-Q16-OpenMP-x86NuGet
< 14.10.314.10.3
Magick.NET-Q16-arm64NuGet
< 14.10.314.10.3
Magick.NET-Q16-x64NuGet
< 14.10.314.10.3
Magick.NET-Q16-x86NuGet
< 14.10.314.10.3
Magick.NET-Q8-AnyCPUNuGet
< 14.10.314.10.3
Magick.NET-Q8-OpenMP-arm64NuGet
< 14.10.314.10.3
Magick.NET-Q8-OpenMP-x64NuGet
< 14.10.314.10.3
Magick.NET-Q8-arm64NuGet
< 14.10.314.10.3
Magick.NET-Q8-x64NuGet
< 14.10.314.10.3
Magick.NET-Q8-x86NuGet
< 14.10.314.10.3

Affected products

2
  • ImageMagick/Imagemagickllm-fuzzy2 versions
    < 7.1.2-15, < 6.9.13-40+ 1 more
    • (no CPE)range: < 7.1.2-15, < 6.9.13-40
    • (no CPE)range: >= 7.0.0, < 7.1.2-15

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

5

News mentions

0

No linked articles in our index yet.