Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
4.0
ImageMagick MSL encoder can cause data corruption or crashes
CVE-2026-28688
GHSA-xxw5-m53x-j38c
Summary
A bug in the ImageMagick MSL encoder can cause it to access memory that has already been freed. This can lead to data corruption or crashes. As a precaution, users should update to the latest version of ImageMagick to ensure they have the latest security patches.
What to do
- Update magick.net-q16-anycpu to version 14.10.4.
- Update magick.net-q16-hdri-anycpu to version 14.10.4.
- Update magick.net-q16-hdri-openmp-arm64 to version 14.10.4.
- Update magick.net-q16-hdri-arm64 to version 14.10.4.
- Update magick.net-q16-hdri-x64 to version 14.10.4.
- Update magick.net-q16-hdri-x86 to version 14.10.4.
- Update magick.net-q16-openmp-arm64 to version 14.10.4.
- Update magick.net-q16-openmp-x64 to version 14.10.4.
- Update magick.net-q16-openmp-x86 to version 14.10.4.
- Update magick.net-q16-arm64 to version 14.10.4.
- Update magick.net-q16-x64 to version 14.10.4.
- Update magick.net-q16-x86 to version 14.10.4.
- Update magick.net-q16-hdri-openmp-x64 to version 14.10.4.
- Update magick.net-q8-anycpu to version 14.10.4.
- Update magick.net-q8-openmp-arm64 to version 14.10.4.
- Update magick.net-q8-openmp-x64 to version 14.10.4.
- Update magick.net-q8-arm64 to version 14.10.4.
- Update magick.net-q8-x64 to version 14.10.4.
- Update magick.net-q8-x86 to version 14.10.4.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | magick.net-q16-anycpu | <= 14.10.4 | 14.10.4 |
| – | magick.net-q16-hdri-anycpu | <= 14.10.4 | 14.10.4 |
| – | magick.net-q16-hdri-openmp-arm64 | <= 14.10.4 | 14.10.4 |
| – | magick.net-q16-hdri-arm64 | <= 14.10.4 | 14.10.4 |
| – | magick.net-q16-hdri-x64 | <= 14.10.4 | 14.10.4 |
| – | magick.net-q16-hdri-x86 | <= 14.10.4 | 14.10.4 |
| – | magick.net-q16-openmp-arm64 | <= 14.10.4 | 14.10.4 |
| – | magick.net-q16-openmp-x64 | <= 14.10.4 | 14.10.4 |
| – | magick.net-q16-openmp-x86 | <= 14.10.4 | 14.10.4 |
| – | magick.net-q16-arm64 | <= 14.10.4 | 14.10.4 |
| – | magick.net-q16-x64 | <= 14.10.4 | 14.10.4 |
| – | magick.net-q16-x86 | <= 14.10.4 | 14.10.4 |
| – | magick.net-q16-hdri-openmp-x64 | <= 14.10.4 | 14.10.4 |
| – | magick.net-q8-anycpu | <= 14.10.4 | 14.10.4 |
| – | magick.net-q8-openmp-arm64 | <= 14.10.4 | 14.10.4 |
| – | magick.net-q8-openmp-x64 | <= 14.10.4 | 14.10.4 |
| – | magick.net-q8-arm64 | <= 14.10.4 | 14.10.4 |
| – | magick.net-q8-x64 | <= 14.10.4 | 14.10.4 |
| – | magick.net-q8-x86 | <= 14.10.4 | 14.10.4 |
| imagemagick | imagemagick | <= 6.9.13-41 | – |
| imagemagick | imagemagick | > 7.0.0-0 , <= 7.1.2-16 | – |
Original title
ImageMagick has heap use-after-free in the MSL encoder
Original description
A heap-use-after-free vulnerability exists in the MSL encoder, where a cloned image is destroyed twice. The MSL coder does not support writing MSL so the write capability has been removed.
```
SUMMARY: AddressSanitizer: heap-use-after-free MagickCore/image.c:1195 in DestroyImage
Shadow bytes around the buggy address:
0x0a4e80007450: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0a4e80007460: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0a4e80007470: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0a4e80007480: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0a4e80007490: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0a4e800074a0: fd fd fd fd fd fd fd fd fd fd[fd]fd fd fd fd fd
0x0a4e800074b0: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa
0x0a4e800074c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0a4e800074d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0a4e800074e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0a4e800074f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
```
```
SUMMARY: AddressSanitizer: heap-use-after-free MagickCore/image.c:1195 in DestroyImage
Shadow bytes around the buggy address:
0x0a4e80007450: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0a4e80007460: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0a4e80007470: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0a4e80007480: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0a4e80007490: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0a4e800074a0: fd fd fd fd fd fd fd fd fd fd[fd]fd fd fd fd fd
0x0a4e800074b0: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa
0x0a4e800074c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0a4e800074d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0a4e800074e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0a4e800074f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
```
nvd CVSS3.1
4.0
Vulnerability type
CWE-416
Use After Free
Published: 12 Mar 2026 · Updated: 13 Mar 2026 · First seen: 10 Mar 2026