ImageMagick has a Heap Use-After-Free in ImageMagick MSL decoder
Description
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-16 and 6.9.13-41, a heap use-after-free vulnerability in ImageMagick's MSL decoder allows an attacker to trigger access to freed memory by crafting an MSL file. This vulnerability is fixed in 7.1.2-16 and 6.9.13-41.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Heap use-after-free in ImageMagick MSL decoder allows crafted MSL files to trigger access to freed memory, fixed in versions 7.1.2-16 and 6.9.13-41.
Overview
CVE-2026-28687 describes a heap use-after-free vulnerability in the MSL (Magick Scripting Language) decoder of ImageMagick. The flaw exists in versions prior to 7.1.2-16 and 6.9.13-41. When processing a specially crafted MSL file, the decoder may access memory that has already been freed, leading to memory corruption [2][4].
Exploitation
An attacker can exploit this vulnerability by supplying a malicious MSL file to an application that uses ImageMagick to process images. No authentication or special privileges are required; the threat is triggered when the crafted file is opened or parsed by the affected decoder [4]. This attack vector is common in environments where ImageMagick processes user-uploaded images without proper validation.
Impact
Successful exploitation results in a heap use-after-free condition, potentially causing the application to crash or behave unpredictably. While the advisory does not explicitly confirm remote code execution, such memory corruption vulnerabilities often lead to arbitrary code execution if combined with other techniques [2]. Users are advised to treat this as a high-risk issue.
Mitigation
The vulnerability has been patched in ImageMagick 7.1.2-16 and 6.9.13-41. All users are strongly recommended to update to these fixed versions immediately. No workarounds are currently available [4].
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
Magick.NET-Q16-AnyCPUNuGet | < 14.10.4 | 14.10.4 |
Magick.NET-Q16-HDRI-AnyCPUNuGet | < 14.10.4 | 14.10.4 |
Magick.NET-Q16-HDRI-OpenMP-arm64NuGet | < 14.10.4 | 14.10.4 |
Magick.NET-Q16-HDRI-arm64NuGet | < 14.10.4 | 14.10.4 |
Magick.NET-Q16-HDRI-x64NuGet | < 14.10.4 | 14.10.4 |
Magick.NET-Q16-HDRI-x86NuGet | < 14.10.4 | 14.10.4 |
Magick.NET-Q16-OpenMP-arm64NuGet | < 14.10.4 | 14.10.4 |
Magick.NET-Q16-OpenMP-x64NuGet | < 14.10.4 | 14.10.4 |
Magick.NET-Q16-OpenMP-x86NuGet | < 14.10.4 | 14.10.4 |
Magick.NET-Q16-arm64NuGet | < 14.10.4 | 14.10.4 |
Magick.NET-Q16-x64NuGet | < 14.10.4 | 14.10.4 |
Magick.NET-Q16-x86NuGet | < 14.10.4 | 14.10.4 |
Magick.NET-Q16-HDRI-OpenMP-x64NuGet | < 14.10.4 | 14.10.4 |
Magick.NET-Q8-AnyCPUNuGet | < 14.10.4 | 14.10.4 |
Magick.NET-Q8-OpenMP-arm64NuGet | < 14.10.4 | 14.10.4 |
Magick.NET-Q8-OpenMP-x64NuGet | < 14.10.4 | 14.10.4 |
Magick.NET-Q8-arm64NuGet | < 14.10.4 | 14.10.4 |
Magick.NET-Q8-x64NuGet | < 14.10.4 | 14.10.4 |
Magick.NET-Q8-x86NuGet | < 14.10.4 | 14.10.4 |
Affected products
2<=7.1.2-16, <=6.9.13-41+ 1 more
- (no CPE)range: <=7.1.2-16, <=6.9.13-41
- (no CPE)range: >= 7.0.0, < 7.1.2-16
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-fpvf-frm6-625qghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-28687ghsaADVISORY
- github.com/ImageMagick/ImageMagick/security/advisories/GHSA-fpvf-frm6-625qghsax_refsource_CONFIRMWEB
- github.com/dlemstra/Magick.NET/releases/tag/14.10.4ghsaWEB
News mentions
0No linked articles in our index yet.