ImageMagick: Use-After-Free in MSL decoder.

Vulnerability

A heap-use-after-free vulnerability exists in the MSL (Magick Scripting Language) decoder of ImageMagick. The flaw allows a specially crafted MSL image to trigger use of freed memory, leading to potential exploitation. The issue affects multiple Magick.NET packages (e.g., Magick.NET-Q16-AnyCPU, Magick.NET-Q16-HDRI-AnyCPU) prior to version 14.13.1 [2][3].

Exploitation

An attacker can exploit this vulnerability by providing a maliciously crafted MSL image to a vulnerable ImageMagick instance. No authentication or special privileges are required; the attack vector is remote, requiring only that the victim processes the image (e.g., via a web service or command-line tool). The attack complexity is low, and no user interaction is needed beyond the victim opening the file [3].

Impact

Successful exploitation can lead to a heap-use-after-free condition, potentially resulting in denial of service, information disclosure, or arbitrary code execution in the context of the ImageMagick process. The vulnerability is rated moderate severity [2].

Mitigation

The fix is included in Magick.NET version 14.13.1 and later, released on or around May 17, 2026 [2][3]. Users should upgrade to the latest version. For NuGet packages, update to at least 14.13.1. As a workaround, avoid processing untrusted MSL images or restrict usage with a security policy [1].