Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/61585?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/61585?format=api", "purl": "pkg:nuget/Magick.NET-Q8-OpenMP-x64@14.10.2", "type": "nuget", "namespace": "", "name": "Magick.NET-Q8-OpenMP-x64", "version": "14.10.2", "qualifiers": {}, "subpath": "", "is_vulnerable": false, "next_non_vulnerable_version": "14.10.3", "latest_non_vulnerable_version": "14.12.0", "affected_by_vulnerabilities": [], "fixing_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/20782?format=api", "vulnerability_id": "VCID-569d-6nue-5kbq", "summary": "ImageMagick releases an invalid pointer in BilateralBlur when memory allocation fails\nThe BilateralBlurImage method will allocate a set of double buffers inside AcquireBilateralTLS. But the last element in the set is not properly initialized. This will result in a release of an invalid pointer inside DestroyBilateralTLS when the memory allocation fails.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-22770.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-22770.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-22770", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00067", "scoring_system": "epss", "scoring_elements": "0.2077", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00067", "scoring_system": "epss", "scoring_elements": "0.20785", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00067", "scoring_system": "epss", "scoring_elements": "0.20793", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00067", "scoring_system": "epss", "scoring_elements": "0.20803", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00067", "scoring_system": "epss", "scoring_elements": "0.20855", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00067", "scoring_system": "epss", "scoring_elements": "0.20898", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00067", "scoring_system": "epss", "scoring_elements": "0.20883", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00067", "scoring_system": "epss", "scoring_elements": "0.20822", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00067", "scoring_system": "epss", "scoring_elements": "0.20743", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00067", "scoring_system": "epss", "scoring_elements": "0.2097", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00067", "scoring_system": "epss", "scoring_elements": "0.21028", "published_at": "2026-04-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-22770" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/dlemstra/Magick.NET/releases/tag/14.10.2", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/dlemstra/Magick.NET/releases/tag/14.10.2" }, { "reference_url": "https://github.com/ImageMagick/ImageMagick", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ImageMagick/ImageMagick" }, { "reference_url": "https://github.com/ImageMagick/ImageMagick/commit/3e0330721020e0c5bb52e4b77c347527dd71658e", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-21T20:05:17Z/" } ], "url": "https://github.com/ImageMagick/ImageMagick/commit/3e0330721020e0c5bb52e4b77c347527dd71658e" }, { "reference_url": "https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-39h3-g67r-7g3c", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-21T20:05:17Z/" } ], "url": "https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-39h3-g67r-7g3c" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22770", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22770" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1126074", "reference_id": "1126074", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1126074" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2431037", "reference_id": "2431037", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2431037" }, { "reference_url": "https://github.com/advisories/GHSA-39h3-g67r-7g3c", "reference_id": "GHSA-39h3-g67r-7g3c", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-39h3-g67r-7g3c" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/61585?format=api", "purl": "pkg:nuget/Magick.NET-Q8-OpenMP-x64@14.10.2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:nuget/Magick.NET-Q8-OpenMP-x64@14.10.2" } ], "aliases": [ "CVE-2026-22770", "GHSA-39h3-g67r-7g3c" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-569d-6nue-5kbq" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/20741?format=api", "vulnerability_id": "VCID-6meg-yjby-a7gj", "summary": "ImageMagick has a Memory Leak in LoadOpenCLDeviceBenchmark() when parsing malformed XML\n### Summary\n\nA memory leak vulnerability exists in the `LoadOpenCLDeviceBenchmark()` function in `MagickCore/opencl.c`. When parsing a malformed OpenCL device profile XML file that contains `<device` elements without proper `/>` closing tags, the function fails to release allocated memory for string members (`platform_name`, `vendor_name`, `name`, `version`), leading to memory leaks that could result in resource exhaustion.\n\n**Affected Version**: ImageMagick 7.1.2-12 and possibly earlier versions\n\n---\n\n### Details\n\nThe vulnerability is located in `MagickCore/opencl.c`, function `LoadOpenCLDeviceBenchmark()` (lines 754-911).\n\n**Root Cause Analysis:**\n\n1. When a `<device` tag is encountered, a `MagickCLDeviceBenchmark` structure is allocated (line 807-812)\n2. String attributes (`platform`, `vendor`, `name`, `version`) are allocated via `ConstantString()` (lines 878, 885, 898, 900)\n3. These strings are **only freed** when a `/>` closing tag is encountered (lines 840-849)\n4. At function exit (lines 908-910), only the `device_benchmark` structure is freed, but **its member variables are not freed** if `/>` was never parsed\n\n**Vulnerable Code (lines 908-910):**\n\n```c\ntoken=(char *) RelinquishMagickMemory(token);\ndevice_benchmark=(MagickCLDeviceBenchmark *) RelinquishMagickMemory(\n device_benchmark); // BUG: members (platform_name, vendor_name, name, version) not freed!\n```\n\n**Correct cleanup (only executed when `/>` is found, lines 840-849):**\n\n```c\ndevice_benchmark->platform_name=(char *) RelinquishMagickMemory(device_benchmark->platform_name);\ndevice_benchmark->vendor_name=(char *) RelinquishMagickMemory(device_benchmark->vendor_name);\ndevice_benchmark->name=(char *) RelinquishMagickMemory(device_benchmark->name);\ndevice_benchmark->version=(char *) RelinquishMagickMemory(device_benchmark->version);\ndevice_benchmark=(MagickCLDeviceBenchmark *) RelinquishMagickMemory(device_benchmark);\n```\n\n---\n\n### PoC\n\n**Environment:**\n- OS: Ubuntu 22.04.5 LTS (Linux 6.8.0-87-generic x86_64)\n- Compiler: GCC 11.4.0\n- ImageMagick: 7.1.2-13 (commit `a52c1b402be08ef8ae193f28ac5b2e120f2fa26f`)\n\n**Step 1: Build ImageMagick with AddressSanitizer**\n\n```bash\ncd ImageMagick\n./configure \\\n CFLAGS=\"-g -O0 -fsanitize=address -fno-omit-frame-pointer\" \\\n CXXFLAGS=\"-g -O0 -fsanitize=address -fno-omit-frame-pointer\" \\\n LDFLAGS=\"-fsanitize=address\" \\\n --disable-openmp\nmake -j$(nproc)\n```\n\n**Step 2: Create malformed XML file**\n\n**Step 3: Place file in OpenCL cache directory**\n\n```bash\nmkdir -p ~/.cache/ImageMagick\ncp malformed_opencl_profile.xml ~/.cache/ImageMagick/ImagemagickOpenCLDeviceProfile.xml\n```\n\n**Step 4: Run ImageMagick with leak detection**\n\n```bash\nexport ASAN_OPTIONS=\"detect_leaks=1:symbolize=1\"\n./utilities/magick -size 100x100 xc:red output.png\n```\n\n**ASAN Output:**\n\n```\n=================================================================\n==2543490==ERROR: LeakSanitizer: detected memory leaks\n\nDirect leak of 96 byte(s) in 2 object(s) allocated from:\n #0 ... in AcquireMagickMemory MagickCore/memory.c:536\n #1 ... in LoadOpenCLDeviceBenchmark MagickCore/opencl.c:807\n\nDirect leak of 16 byte(s) in 1 object(s) allocated from:\n #0 ... in ConstantString MagickCore/string.c:692\n #1 ... in LoadOpenCLDeviceBenchmark MagickCore/opencl.c:878 ← name\n\nDirect leak of 14 byte(s) in 1 object(s) allocated from:\n #0 ... in ConstantString MagickCore/string.c:692\n #1 ... in LoadOpenCLDeviceBenchmark MagickCore/opencl.c:885 ← platform_name\n\nDirect leak of 14 byte(s) in 1 object(s) allocated from:\n #0 ... in ConstantString MagickCore/string.c:692\n #1 ... in LoadOpenCLDeviceBenchmark MagickCore/opencl.c:898 ← vendor_name\n\nDirect leak of 15 byte(s) in 1 object(s) allocated from:\n #0 ... in ConstantString MagickCore/string.c:692\n #1 ... in LoadOpenCLDeviceBenchmark MagickCore/opencl.c:900 ← version\n\nSUMMARY: AddressSanitizer: 203 byte(s) leaked in 18 allocation(s).\n```\n\n---\n\n### Impact\n\n**Vulnerability Type:** CWE-401 (Missing Release of Memory after Effective Lifetime)\n\n**Severity:** Low\n\n**Who is impacted:**\n- Users who have OpenCL enabled in ImageMagick\n- Systems where an attacker can place or modify files in the OpenCL cache directory (`~/.cache/ImageMagick/`)\n- Long-running ImageMagick processes or services that repeatedly initialize OpenCL\n\n**Potential consequences:**\n- Memory exhaustion over time if the malformed configuration is repeatedly loaded\n- Denial of Service (DoS) in resource-constrained environments\n\n**Attack Vector:** Local - requires write access to the user's OpenCL cache directory", "references": [ { "reference_url": "https://github.com/dlemstra/Magick.NET/releases/tag/14.10.2", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/dlemstra/Magick.NET/releases/tag/14.10.2" }, { "reference_url": "https://github.com/ImageMagick/ImageMagick", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ImageMagick/ImageMagick" }, { "reference_url": "https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-qp59-x883-77qv", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-qp59-x883-77qv" }, { "reference_url": "https://github.com/advisories/GHSA-qp59-x883-77qv", "reference_id": "GHSA-qp59-x883-77qv", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-qp59-x883-77qv" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/61585?format=api", "purl": "pkg:nuget/Magick.NET-Q8-OpenMP-x64@14.10.2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:nuget/Magick.NET-Q8-OpenMP-x64@14.10.2" } ], "aliases": [ "GHSA-qp59-x883-77qv" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-6meg-yjby-a7gj" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/20601?format=api", "vulnerability_id": "VCID-h221-qd8d-tqa5", "summary": "ImageMagick has a NULL pointer dereference in MSL parser via <comment> tag before image load\n## Summary\n\nNULL pointer dereference in MSL (Magick Scripting Language) parser when processing `<comment>` tag before any image is loaded.\n\n## Version\n\n- ImageMagick 7.x (tested on current main branch)\n- Commit: HEAD\n\n## Steps to Reproduce\n\n### Method 1: Using ImageMagick directly\n\n```bash\nmagick MSL:poc.msl out.png\n```\n\n### Method 2: Using OSS-Fuzz reproduce\n\n```bash\npython3 infra/helper.py build_fuzzers imagemagick\npython3 infra/helper.py reproduce imagemagick msl_fuzzer poc.msl\n```\n\nOr run the fuzzer directly:\n```bash\n./msl_fuzzer poc.msl\n```\n\n## Expected Behavior\n\nImageMagick should handle the malformed MSL gracefully and return an error message.\n\n## Actual Behavior\n\n```\nconvert: MagickCore/property.c:297: MagickBooleanType DeleteImageProperty(Image *, const char *): Assertion `image != (Image *) NULL' failed.\nAborted\n```\n\n## Root Cause Analysis\n\nIn `coders/msl.c:7091`, `MSLEndElement()` calls `DeleteImageProperty()` on `msl_info->image[n]` when handling the `</comment>` end tag without checking if the image is NULL:\n\n```c\nif (LocaleCompare((const char *) tag,\"comment\") == 0 )\n {\n (void) DeleteImageProperty(msl_info->image[n],\"comment\"); // No NULL check\n ...\n }\n```\n\nWhen `<comment>` appears before any `<read>` operation, `msl_info->image[n]` is NULL, causing the assertion failure in `DeleteImageProperty()` at `property.c:297`.\n\n## Impact\n\n- **DoS**: Crash via assertion failure (debug builds) or NULL pointer dereference (release builds)\n- **Affected**: Any application using ImageMagick to process user-supplied MSL files\n\n## Fuzzer\n\nThis issue was discovered using a custom MSL fuzzer:\n\n```cpp\n#include <cstdint>\n#include <Magick++/Blob.h>\n#include <Magick++/Image.h>\n#include \"utils.cc\"\n\nextern \"C\" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size)\n{\n if (IsInvalidSize(Size))\n return(0);\n try\n {\n const Magick::Blob blob(Data, Size);\n Magick::Image image;\n image.magick(\"MSL\");\n image.fileName(\"MSL:\");\n image.read(blob);\n }\n catch (Magick::Exception)\n {\n }\n return(0);\n}\n```\n\nThis issue was found by Team FuzzingBrain @ Texas A&M University", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-23952.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-23952.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-23952", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00021", "scoring_system": "epss", "scoring_elements": "0.0569", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00021", "scoring_system": "epss", "scoring_elements": "0.05517", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00021", "scoring_system": "epss", "scoring_elements": "0.05553", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00021", "scoring_system": "epss", "scoring_elements": "0.0559", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00021", "scoring_system": "epss", "scoring_elements": "0.05615", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00021", "scoring_system": "epss", "scoring_elements": "0.05586", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00021", "scoring_system": "epss", "scoring_elements": "0.05576", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00021", "scoring_system": "epss", "scoring_elements": "0.05569", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00021", "scoring_system": "epss", "scoring_elements": "0.05525", "published_at": "2026-04-18T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-23952" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-23952", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-23952" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/dlemstra/Magick.NET/releases/tag/14.10.2", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-22T21:43:24Z/" } ], "url": "https://github.com/dlemstra/Magick.NET/releases/tag/14.10.2" }, { "reference_url": "https://github.com/ImageMagick/ImageMagick", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ImageMagick/ImageMagick" }, { "reference_url": "https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-5vx3-wx4q-6cj8", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-22T21:43:24Z/" } ], "url": "https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-5vx3-wx4q-6cj8" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1126077", "reference_id": "1126077", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1126077" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2431905", "reference_id": "2431905", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2431905" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23952", "reference_id": "CVE-2026-23952", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23952" }, { "reference_url": "https://github.com/advisories/GHSA-5vx3-wx4q-6cj8", "reference_id": "GHSA-5vx3-wx4q-6cj8", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-5vx3-wx4q-6cj8" }, { "reference_url": "https://usn.ubuntu.com/8127-1/", "reference_id": "USN-8127-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/8127-1/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/61585?format=api", "purl": "pkg:nuget/Magick.NET-Q8-OpenMP-x64@14.10.2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:nuget/Magick.NET-Q8-OpenMP-x64@14.10.2" } ], "aliases": [ "CVE-2026-23952", "GHSA-5vx3-wx4q-6cj8" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-h221-qd8d-tqa5" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/20141?format=api", "vulnerability_id": "VCID-vaks-d4k5-zue7", "summary": "ImageMagick MSL: Stack overflow via infinite recursion in ProcessMSLScript\n## Summary\n\nStack overflow via infinite recursion in MSL (Magick Scripting Language) `<write>` command when writing to MSL format.\n\n## Version\n\n- ImageMagick 7.x (tested on current main branch)\n- Commit: HEAD\n- Requires: libxml2 support (for MSL parsing)\n\n## Steps to Reproduce\n\n### Method 1: Using ImageMagick directly\n\n```bash\nmagick MSL:recursive.msl out.png\n```\n\n### Method 2: Using OSS-Fuzz reproduce\n\n```bash\npython3 infra/helper.py build_fuzzers imagemagick\npython3 infra/helper.py reproduce imagemagick msl_fuzzer recursive.msl\n```\n\nOr run the fuzzer directly:\n```bash\n./msl_fuzzer recursive.msl\n```\n\n## Expected Behavior\n\nImageMagick should handle recursive MSL references gracefully by detecting the loop and returning an error.\n\n## Actual Behavior\n\nStack overflow causes process crash:\n\n```\nAddressSanitizer:DEADLYSIGNAL\n==PID==ERROR: AddressSanitizer: stack-overflow\n #0 MSLStartElement /src/imagemagick/coders/msl.c:7045\n #1 xmlParseStartTag /src/libxml2/parser.c\n #2 xmlParseChunk /src/libxml2/parser.c:11273\n #3 ProcessMSLScript /src/imagemagick/coders/msl.c:7405\n #4 WriteMSLImage /src/imagemagick/coders/msl.c:7867\n #5 WriteImage /src/imagemagick/MagickCore/constitute.c:1346\n #6 MSLStartElement /src/imagemagick/coders/msl.c:7045\n ... (infinite recursion, 287+ frames)\n```\n\n## Root Cause Analysis\n\nIn `coders/msl.c`, the `<write>` command handler in `MSLStartElement()` (line ~7045) calls `WriteImage()`. When the output filename specifies MSL format (`msl:filename`), `WriteMSLImage()` is called, which parses the MSL file again via `ProcessMSLScript()`.\n\nIf the MSL file references itself (directly or indirectly), this creates an infinite recursion loop:\n\n```\nMSLStartElement() → WriteImage() → WriteMSLImage() → ProcessMSLScript()\n → xmlParseChunk() → MSLStartElement() → ... (infinite loop)\n```\n\n## Impact\n\n- **DoS**: Guaranteed crash via stack exhaustion\n- **Affected**: Any application using ImageMagick to process user-supplied MSL files\n\n## Additional Trigger Paths\n\nThe `<read>` command can also trigger recursion:\n\nIndirect recursion is also possible (a.msl → b.msl → a.msl).\n\n## Fuzzer\n\nThis issue was discovered using a custom MSL fuzzer:\n\n```cpp\n#include <cstdint>\n#include <Magick++/Blob.h>\n#include <Magick++/Image.h>\n#include \"utils.cc\"\n\nextern \"C\" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size)\n{\n if (IsInvalidSize(Size))\n return(0);\n try\n {\n const Magick::Blob blob(Data, Size);\n Magick::Image image;\n image.magick(\"MSL\");\n image.fileName(\"MSL:\");\n image.read(blob);\n }\n catch (Magick::Exception)\n {\n }\n return(0);\n}\n```\n\nThis issue was found by Team FuzzingBrain @ Texas A&M University", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-23874.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-23874.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-23874", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00019", "scoring_system": "epss", "scoring_elements": "0.05194", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00019", "scoring_system": "epss", "scoring_elements": "0.05051", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00019", "scoring_system": "epss", "scoring_elements": "0.0508", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00019", "scoring_system": "epss", "scoring_elements": "0.05101", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00019", "scoring_system": "epss", "scoring_elements": "0.05134", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00019", "scoring_system": "epss", "scoring_elements": "0.0515", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00019", "scoring_system": "epss", "scoring_elements": "0.05125", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00019", "scoring_system": "epss", "scoring_elements": "0.05108", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00019", "scoring_system": "epss", "scoring_elements": "0.05093", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00019", "scoring_system": "epss", "scoring_elements": "0.05041", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00019", "scoring_system": "epss", "scoring_elements": "0.05046", "published_at": "2026-04-18T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-23874" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-23874", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-23874" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/dlemstra/Magick.NET/releases/tag/14.10.2", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/dlemstra/Magick.NET/releases/tag/14.10.2" }, { "reference_url": "https://github.com/ImageMagick/ImageMagick", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ImageMagick/ImageMagick" }, { "reference_url": "https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-9vj4-wc7r-p844", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-20T21:37:11Z/" } ], "url": "https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-9vj4-wc7r-p844" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23874", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23874" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1126075", "reference_id": "1126075", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1126075" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2431034", "reference_id": "2431034", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2431034" }, { "reference_url": "https://github.com/advisories/GHSA-9vj4-wc7r-p844", "reference_id": "GHSA-9vj4-wc7r-p844", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-9vj4-wc7r-p844" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/61585?format=api", "purl": "pkg:nuget/Magick.NET-Q8-OpenMP-x64@14.10.2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:nuget/Magick.NET-Q8-OpenMP-x64@14.10.2" } ], "aliases": [ "CVE-2026-23874", "GHSA-9vj4-wc7r-p844" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-vaks-d4k5-zue7" } ], "risk_score": null, "resource_url": "http://public2.vulnerablecode.io/packages/pkg:nuget/Magick.NET-Q8-OpenMP-x64@14.10.2" }