Skip to main content

ImageMagick CVE-2026-25968

CRITICAL
Stack-based Buffer Overflow (CWE-121)
2026-02-24 security-advisories@github.com GHSA-3mwp-xqp2-q6ph
Critical
Disputed · 9.8 NVD
Share

Severity by source

Sources disagree (Medium–Critical)
NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
8.1 HIGH

Network-reachable via uploaded MSL input with no auth (AV:N/PR:N/UI:N), but exploitation depends on MSL coder being enabled and bypassing stack canaries/ASLR, so AC:H.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
SUSE
7.4 HIGH
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H
Red Hat
7.4 MEDIUM
qualitative

vuln.today treats the vendor’s rating as authoritative. A higher third-party CVSS (e.g. CISA-ADP) is shown for transparency but does not drive the headline severity.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

9
Analysis Updated
Jun 23, 2026 - 18:34 vuln.today
v3 (cvss_changed)
Source Code Evidence Fetched
Jun 23, 2026 - 18:33 vuln.today
Analysis Updated
Jun 23, 2026 - 18:33 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 23, 2026 - 18:22 vuln.today
cvss_changed
Severity Changed
Jun 23, 2026 - 18:22 NVD
HIGH CRITICAL
CVSS changed
Jun 23, 2026 - 18:22 NVD
7.4 (HIGH) 9.8 (CRITICAL)
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
Analysis Generated
Mar 12, 2026 - 21:55 vuln.today
CVE Published
Feb 24, 2026 - 02:16 nvd
HIGH 7.4

DescriptionNVD

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, a stack buffer overflow occurs when processing the an attribute in msl.c. A long value overflows a fixed-size stack buffer, leading to memory corruption. Versions 7.1.2-15 and 6.9.13-40 contain a patch.

AnalysisAI

Stack buffer overflow in ImageMagick's MSL (Magick Scripting Language) parser allows remote attackers to corrupt memory and potentially execute arbitrary code by supplying an MSL document with an oversized attribute value processed by msl.c. All ImageMagick versions prior to 7.1.2-15 and 6.9.13-40 are affected, as well as Magick.NET bindings below 14.10.3. No public exploit identified at time of analysis and EPSS is very low (0.06%, 17th percentile), but the CVSS 9.8 reflects the worst-case unauthenticated RCE potential against any service that parses attacker-controlled MSL input.

Technical ContextAI

ImageMagick is a widely deployed image-processing library and toolset used by web stacks, document converters, and CI pipelines. The flaw lives in coders/msl.c, the handler for ImageMagick's MSL (Magick Scripting Language) XML-style scripting format, where an attribute value is copied into a fixed-size stack buffer without proper length validation. This is a classic CWE-121 Stack-based Buffer Overflow: a long attribute string overflows the stack frame, as confirmed by the AddressSanitizer trace in the advisory showing a 1-byte WRITE past a stack buffer at 0x7ffdb8c76984. Memory corruption on the stack can overwrite saved return addresses or adjacent locals, which on unhardened builds is a known path to arbitrary code execution. The affected CPE (cpe:2.3:a:imagemagick:imagemagick) and the Magick.NET NuGet packages share the same native code path.

RemediationAI

Vendor-released patch: upgrade ImageMagick to 7.1.2-15 or 6.9.13-40, and Magick.NET to 14.10.3, per GHSA-3mwp-xqp2-q6ph (https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-3mwp-xqp2-q6ph). On SUSE systems apply SUSE-SU-2026:0851 and SUSE-SU-2026:0852. If patching is delayed, disable the MSL coder by adding <policy domain="coder" rights="none" pattern="MSL" /> (and ideally <policy domain="coder" rights="none" pattern="EPHEMERAL,URL,HTTPS,MVG,MSL,TEXT,SHOW,WIN,PLT" />) to /etc/ImageMagick-*/policy.xml - this blocks the vulnerable code path with no impact on standard image format processing for the vast majority of workloads, though any pipeline that legitimately uses MSL scripting will break. Additionally restrict ImageMagick processing to trusted input only and run conversion workers under a sandboxed, low-privilege account (e.g. systemd seccomp, AppArmor, or a container with no network egress) to contain successful exploitation.

CVE-2017-15277 MEDIUM POC
6.5 Oct 12

ReadGIFImage in coders/gif.c in ImageMagick 7.0.6-1 and GraphicsMagick 1.3.26 leaves the palette uninitialized when proc

CVE-2016-5841 CRITICAL POC
9.8 Dec 13

Integer overflow in MagickCore/profile.c in ImageMagick before 7.0.2-1 allows remote attackers to cause a denial of serv

CVE-2016-3717 MEDIUM POC
5.5 May 05

The LABEL coder in ImageMagick before 6.9.3-10 and 7.x before 7.0.1-1 allows remote attackers to read arbitrary files vi

CVE-2016-5118 CRITICAL
9.8 Jun 10

The OpenBlob function in blob.c in GraphicsMagick before 1.3.24 and ImageMagick allows remote attackers to execute arbit

CVE-2016-5689 CRITICAL POC
9.8 Dec 13

The DCM reader in ImageMagick before 6.9.4-5 and 7.x before 7.0.1-7 allows remote attackers to have unspecified impact b

CVE-2016-5690 CRITICAL POC
9.8 Dec 13

The ReadDCMImage function in DCM reader in ImageMagick before 6.9.4-5 and 7.x before 7.0.1-7 allows remote attackers to

CVE-2016-5691 CRITICAL POC
9.8 Dec 13

The DCM reader in ImageMagick before 6.9.4-5 and 7.x before 7.0.1-7 allows remote attackers to have unspecified impact b

CVE-2017-14138 CRITICAL POC
9.8 Sep 04

ImageMagick 7.0.6-5 has a memory leak vulnerability in ReadWEBPImage in coders/webp.c because memory is not freed in cer

CVE-2026-23876 CRITICAL POC
9.8 Jan 20

Heap buffer overflow in ImageMagick's XBM image decoder (ReadXBMImage) lets remote attackers write attacker-controlled d

CVE-2023-34152 CRITICAL POC
9.8 May 30

A vulnerability was found in ImageMagick. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable

CVE-2019-19952 CRITICAL POC
9.8 Dec 24

In ImageMagick 7.0.9-7 Q16, there is a use-after-free in the function MngInfoDiscardObject of coders/png.c, related to R

CVE-2018-14551 CRITICAL POC
9.8 Jul 23

The ReadMATImageV4 function in coders/mat.c in ImageMagick 7.0.8-7 uses an uninitialized variable, leading to memory cor

Vendor StatusVendor

SUSE

Severity: High
Product Status
Container suse/sl-micro/6.1/baremetal-os-container:2.2.1-7.41 Container suse/sl-micro/6.1/base-os-container:2.2.1-5.62 Container suse/sl-micro/6.1/kvm-os-container:2.2.1-5.65 Container suse/sl-micro/6.1/rt-os-container:2.2.1-5.54 Image SL-Micro-Azure Image SL-Micro-BYOS-Azure Image SL-Micro-BYOS-EC2 Image SL-Micro-BYOS-GCE Image SL-Micro-EC2 Image SUSE-Multi-Linux-Manager-Proxy-BYOS-Azure Image SUSE-Multi-Linux-Manager-Proxy-BYOS-EC2 Image SUSE-Multi-Linux-Manager-Proxy-BYOS-GCE Image SUSE-Multi-Linux-Manager-Server-Azure-llc Image SUSE-Multi-Linux-Manager-Server-Azure-ltd Image SUSE-Multi-Linux-Manager-Server-BYOS-Azure Image SUSE-Multi-Linux-Manager-Server-BYOS-EC2 Image SUSE-Multi-Linux-Manager-Server-BYOS-GCE Image SUSE-Multi-Linux-Manager-Server-EC2-llc Image SUSE-Multi-Linux-Manager-Server-EC2-ltd Affected
SUSE Linux Enterprise Desktop 15 SP7 SUSE Linux Enterprise High Performance Computing 15 SP7 SUSE Linux Enterprise Server 15 SP7 SUSE Linux Enterprise Server for SAP Applications 15 SP7 Fixed
SUSE Linux Enterprise Module for Desktop Applications 15 SP7 Fixed
SUSE Linux Enterprise Module for Development Tools 15 SP7 Fixed
SUSE Linux Enterprise Server 15 SP6-LTSS Fixed

Share

CVE-2026-25968 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy