CVE-2026-23874
BaseFortify
Publication date: 2026-01-20
Last updated on: 2026-01-29
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| imagemagick | imagemagick | to 7.1.2-13 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-835 | The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a stack overflow in ImageMagick versions prior to 7.1.2-13 caused by infinite recursion in the Magick Scripting Language (MSL) when using the <write> command to write to MSL format. Specifically, if an MSL script references itself directly or indirectly, it triggers repeated calls between functions handling the script parsing and writing, leading to infinite recursion and stack exhaustion, which crashes the application. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade ImageMagick to version 7.1.2-13 or later, where this stack overflow vulnerability in MSL processing is fixed. Additionally, avoid processing untrusted or user-supplied MSL scripts, especially those that use the <write> command or filenames with the "msl:" prefix, to prevent triggering the infinite recursion and stack overflow. [1]
How can this vulnerability impact me? :
The vulnerability can cause a Denial of Service (DoS) by crashing any application that uses ImageMagick to process user-supplied MSL files. It affects availability only, with no impact on confidentiality or integrity. The attack requires local access with low privileges and no user interaction, making it relatively low complexity to exploit. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if your system is running an affected version of ImageMagick prior to 7.1.2-13. Additionally, monitoring for crashes or stack overflow errors related to ImageMagick processing MSL scripts, especially those involving the <write> command or filenames prefixed with "msl:", can indicate exploitation attempts. Since the vulnerability involves infinite recursion in MSL scripts, you can test by running ImageMagick commands that process MSL files with recursive references and observe if a stack overflow or crash occurs. Specific commands are not provided in the resources. [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability causes a denial of service (availability impact) but does not affect confidentiality or integrity. Therefore, it does not directly impact compliance with standards focused on data protection such as GDPR or HIPAA, which primarily concern confidentiality and integrity of data. However, the availability impact could indirectly affect compliance if system availability is a regulatory requirement. [1]