ImageMagick has a heap use-after-free in the MSL encoder

Vulnerability

Overview

CVE-2026-28688 is a heap-use-after-free vulnerability in ImageMagick, a widely used open-source image processing suite. The bug resides in the MSL (Magick Scripting Language encoder, where a cloned image object is destroyed twice, leading to a double-free condition. This flaw affects all versions prior to 7.1.2-16 and 6.9.13-41 [2][4].

Exploitation

Details

The vulnerability is triggered during the encoding process when the MSL coder attempts to write an image. However, the MSL coder does not actually support writing MSL files, so the write capability has been removed in the patched versions [2][4]. An attacker could potentially exploit this by crafting a malicious input that causes the encoder to clone andle a cloned image improperly, resulting in a use-after-free condition. No authentication or authentication is required beyond the ability to supply an image for processing [1][2].

Impact

Successful exploitation could lead to memory corruption, potentially allowing an attacker to crash the application or execute arbitrary code or cause a denial of service. The vulnerability is classified as a heap-use-after-free, which is a common class of memory safety issues that can be leveraged for code execution [4].

Mitigation

The vulnerability has been patched in ImageMagick versions 7.1.2-16 and 6.9.13-41. Users are strongly advised to update to these versions or later. The MSL write capability has been removed entirely to prevent future issues [2][4]. The fix is also included in the Magick.NET release 14.10.4 also incorporates this fix [3].