CVE-2026-23874
📋 TL;DR
ImageMagick versions before 7.1.2-13 have a stack overflow vulnerability in the MSL (Magick Scripting Language) <write> command when writing to MSL format, caused by infinite recursion. This can lead to denial of service or potential arbitrary code execution. Anyone using vulnerable ImageMagick versions to process MSL scripts is affected.
💻 Affected Systems
- ImageMagick
📦 What is this software?
Imagemagick by Imagemagick
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete system compromise if an attacker can trigger the infinite recursion with crafted MSL input.
Likely Case
Denial of service causing ImageMagick to crash when processing malicious MSL scripts.
If Mitigated
Limited impact if MSL processing is disabled or input validation blocks malicious scripts.
🎯 Exploit Status
Exploitation requires crafting MSL files that trigger infinite recursion in the <write> command. No public exploit code is currently known.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 7.1.2-13
Vendor Advisory: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-9vj4-wc7r-p844
Restart Required: No
Instructions:
1. Check current ImageMagick version with 'convert --version' or 'magick --version'. 2. Update to version 7.1.2-13 or later using your package manager (apt-get upgrade imagemagick, yum update imagemagick, etc.). 3. Verify update with version check command.
🔧 Temporary Workarounds
Disable MSL format processing
linuxRemove MSL format from ImageMagick's policy.xml to prevent processing of MSL files
Edit /etc/ImageMagick-7/policy.xml or /etc/ImageMagick-6/policy.xml
Add or modify: <policy domain="coder" rights="none" pattern="MSL" />
Input validation for MSL files
allImplement server-side validation to reject or sanitize MSL file uploads
🧯 If You Can't Patch
- Implement strict input validation to block MSL file uploads or processing
- Use application-level sandboxing or containerization to limit ImageMagick's impact if exploited
🔍 How to Verify
Check if Vulnerable:
Run 'convert --version' or 'magick --version' and check if version is below 7.1.2-13Check Version:
convert --version | head -1 || magick --version | head -1Verify Fix Applied:
Confirm version is 7.1.2-13 or higher using version check command📡 Detection & Monitoring
Log Indicators:
- ImageMagick process crashes with segmentation faults
- High CPU usage from ImageMagick processes
- Repeated MSL file processing failures
Network Indicators:
- Unusual uploads of MSL format files to web applications
SIEM Query:
process_name:"convert" OR process_name:"magick" AND (event_type:crash OR exit_code:139)