CVE-2026-28688
Heap-Use-After-Free in ImageMagick MSL Encoder Causes Crash
Publication date: 2026-03-10
Last updated on: 2026-03-12
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| imagemagick | imagemagick | to 6.9.13-41 (exc) |
| imagemagick | imagemagick | From 7.0.0-0 (inc) to 7.1.2-16 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-416 | The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-28688 is a moderate severity heap use-after-free vulnerability in the MSL encoder component of ImageMagick, affecting versions prior to 7.1.2-16 and 6.9.13-41.
The issue occurs because a cloned image object is destroyed twice, which leads to the use of memory after it has already been freed. This is a type of memory error known as CWE-416 (Use After Free).
Specifically, the MSL coder does not support writing MSL format, and this lack of support contributed to the double destruction of the cloned image.
The vulnerability was detected by AddressSanitizer during the DestroyImage function call in the MagickCore/image.c file.
The vulnerability has been fixed by removing the write capability of the MSL coder to prevent the double destruction scenario.
How can this vulnerability impact me? :
This vulnerability can lead to a low impact on availability of the affected system or application because it involves use of memory after it has been freed, which may cause crashes or instability.
There is no impact on confidentiality or integrity, meaning it does not directly lead to data leaks or unauthorized data modification.
The attack vector is local, meaning an attacker would need local access to exploit this vulnerability.
No privileges or user interaction are required to trigger the issue once local access is obtained.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability was detected by AddressSanitizer, which reported heap-use-after-free errors in the MagickCore/image.c file at line 1195 during the DestroyImage function call.
To detect this vulnerability on your system, you can run ImageMagick operations that involve the MSL encoder under AddressSanitizer or similar memory error detection tools to identify heap-use-after-free errors.
There are no specific network detection commands provided, as this is a local vulnerability triggered by image processing.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability is fixed in ImageMagick versions 7.1.2-16 and 6.9.13-41 by removing the write capability of the MSL coder to prevent the double destruction scenario.
Immediate mitigation steps include upgrading ImageMagick to version 7.1.2-16 or later, or 6.9.13-41 or later, to apply the patch that addresses this heap-use-after-free vulnerability.