Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-836n-xdhx-zye3
Vulnerability ID VCID-836n-xdhx-zye3
Aliases CVE-2026-25983
GHSA-fwqw-2x5x-w566
Summary ImageMagick has Use After Free in MSLStartElement in "coders/msl.c" A crafted MSL script triggers a heap-use-after-free. The operation element handler replaces and frees the image while the parser continues reading from it, leading to a UAF in ReadBlobString during further parsing.
Status Published
Exploitability None
Weighted Severity None
Risk None
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-416 Use After Free
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
There are no known severity scores.
Reference id Reference type URL
https://github.com/dlemstra/Magick.NET/releases/tag/14.10.3
https://github.com/ImageMagick/ImageMagick
https://github.com/ImageMagick/ImageMagick/commit/257200cb21de23404dce5f8261871845d425dee5
CVE-2026-25983 https://nvd.nist.gov/vuln/detail/CVE-2026-25983
GHSA-fwqw-2x5x-w566 https://github.com/advisories/GHSA-fwqw-2x5x-w566
GHSA-fwqw-2x5x-w566 https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-fwqw-2x5x-w566
No exploits are available.
There are no known vectors.

No EPSS data available for this vulnerability.

Date Actor Action Source VulnerableCode Version
2026-06-02T04:50:23.488300+00:00 GitLab Importer Import https://gitlab.com/gitlab-org/advisories-community/-/blob/main/nuget/Magick.NET-Q8-arm64/CVE-2026-25983.yml 38.6.0