ImageMagick has Heap Use-After-Free in ImageMagick MSL decoder

A heap use-after-free vulnerability in ImageMagick's MSL decoder allows an attacker to trigger access to freed memory by crafting an MSL file.

=================================================================
==1500633==ERROR: AddressSanitizer: heap-use-after-free on address 0x527000011550 at pc 0x5612583fa212 bp 0x7ffedb86d160 sp 0x7ffedb86d150
READ of size 8 at 0x527000011550 thread T0

References

dlemstra published to ImageMagick/ImageMagick Mar 9, 2026

Published by the National Vulnerability Database Mar 10, 2026

Published to the GitHub Advisory Database Mar 12, 2026

Reviewed Mar 12, 2026

Last updated Mar 12, 2026

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Package

Affected versions

Patched versions

Description

References

Severity

CVSS overall score

CVSS v3 base metrics

CVSS v3 base metrics

EPSS score

Exploit Prediction Scoring System (EPSS)

Weaknesses

Use After Free

CVE ID

GHSA ID

Source code

Credits

Uh oh!