CVE-2026-26983
Received Received - Intake
Use-After-Free Vulnerability in ImageMagick MSL Interpreter Causes Crash

Publication date: 2026-02-24

Last updated on: 2026-02-24

Assigner: GitHub, Inc.

Description
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, the MSL interpreter crashes when processing a invalid `<map>` element that causes it to use an image after it has been freed. Versions 7.1.2-15 and 6.9.13-40 contain a patch.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-24
Last Modified
2026-02-24
Generated
2026-06-16
AI Q&A
2026-02-24
EPSS Evaluated
2026-06-15
NVD
CVE-2026-26983
EUVD
EUVD-2026-7412
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
imagemagick imagemagick to 6.9.13-40 (exc)
imagemagick imagemagick From 7.0.0-0 (inc) to 7.1.2-15 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-476 The product dereferences a pointer that it expects to be valid but is NULL.
CWE-416 The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-26983 is a moderate severity vulnerability affecting ImageMagick versions prior to 7.1.2-15 and 6.9.13-40. It occurs in the MSL (Magick Scripting Language) interpreter when processing an invalid <map> element. The interpreter crashes due to a use-after-free condition, meaning it tries to use an image object after it has already been freed from memory.

This issue is caused by a NULL pointer dereference (CWE-476), where the software attempts to access a pointer that is expected to be valid but is actually NULL.

Impact Analysis

The vulnerability impacts the availability of the ImageMagick software by causing the MSL interpreter to crash. This can lead to a denial of service (DoS) condition.

There is no impact on confidentiality or integrity, as the vulnerability does not allow unauthorized data access or modification.

Compliance Impact

I don't know

Detection Guidance

This vulnerability causes the ImageMagick MSL interpreter to crash when processing an invalid <map> element, resulting in a use-after-free condition. Detection can involve monitoring for crashes or denial of service symptoms related to ImageMagick processes.

Since the vulnerability is triggered by processing a crafted MSL script with an invalid <map> element, one detection approach is to test the ImageMagick installation by running MSL scripts containing such elements and observing if the interpreter crashes.

No specific commands or network detection signatures are provided in the available resources.

Mitigation Strategies

The immediate mitigation step is to upgrade ImageMagick to a patched version. Specifically, update to version 7.1.2-15 or later, or 6.9.13-40 or later, which contain fixes for this vulnerability.

Until the upgrade is applied, avoid processing untrusted or potentially malicious MSL scripts that could contain invalid <map> elements to prevent crashes and denial of service.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-26983. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart