CVE-2026-25971
📋 TL;DR
ImageMagick versions before 7.1.2-15 and 6.9.13-40 contain a vulnerability where the software fails to detect circular references between two MSL (Magick Scripting Language) files, leading to a stack overflow. This could allow attackers to cause denial of service or potentially execute arbitrary code. Any system using vulnerable ImageMagick versions to process untrusted MSL files is affected.
💻 Affected Systems
- ImageMagick
📦 What is this software?
Imagemagick by Imagemagick
Imagemagick by Imagemagick
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete system compromise if stack overflow can be leveraged for arbitrary code execution
Likely Case
Denial of service through application crash when processing malicious MSL files
If Mitigated
No impact if proper input validation and sandboxing prevent malicious MSL processing
🎯 Exploit Status
Exploitation requires ability to supply malicious MSL files to ImageMagick. No public exploit code is currently available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 7.1.2-15 and 6.9.13-40
Vendor Advisory: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-8mpr-6xr2-chhc
Restart Required: No
Instructions:
1. Check current ImageMagick version with 'convert --version' or 'magick --version'. 2. Update using package manager: 'apt update && apt upgrade imagemagick' (Debian/Ubuntu) or 'yum update imagemagick' (RHEL/CentOS). 3. For source installations, download and compile from official ImageMagick repository.
🔧 Temporary Workarounds
Disable MSL processing
linuxRemove MSL file format support from ImageMagick policy.xml to prevent processing of potentially malicious MSL files
sed -i '/<policy domain="delegate" rights="none" pattern="MSL" \/>/d' /etc/ImageMagick-6/policy.xml
echo '<policy domain="delegate" rights="none" pattern="MSL" />' >> /etc/ImageMagick-6/policy.xml
Restrict file uploads
allConfigure web applications to reject MSL file uploads at the application layer
🧯 If You Can't Patch
- Implement strict input validation to reject MSL files at the application boundary
- Run ImageMagick in a sandboxed/containerized environment with limited privileges
🔍 How to Verify
Check if Vulnerable:
Check ImageMagick version: 'convert --version | head -1' or 'magick --version | head -1'. If version is below 7.1.2-15 (for ImageMagick 7) or 6.9.13-40 (for ImageMagick 6), system is vulnerable.Check Version:
convert --version 2>/dev/null | head -1 || magick --version 2>/dev/null | head -1Verify Fix Applied:
After patching, verify version shows 7.1.2-15 or higher (for IM7) or 6.9.13-40 or higher (for IM6). Test with a simple MSL file to ensure processing works without crashing.📡 Detection & Monitoring
Log Indicators:
- ImageMagick process crashes with segmentation faults
- Repeated failed MSL file processing attempts
- Unusual MSL file uploads to web applications
Network Indicators:
- Unexpected MSL file uploads to image processing endpoints
- Traffic patterns suggesting MSL file testing
SIEM Query:
process_name:"convert" OR process_name:"magick" AND (event_type:"crash" OR exit_code:139) OR file_extension:".msl" AND action:"upload"