CVE-2026-23952

ImageMagick is free and open-source software used for editing and manipulating digital images. Versions 14.10.1 and below have a NULL pointer dereference vulnerability in the MSL (Magick Scripting Language) parser when processing <comment> tags before images are loaded. This can lead to DoS attack due to assertion failure (debug builds) or NULL pointer dereference (release builds). This issue is fixed in version 14.10.2.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-5vx3-wx4q-6cj8	Exploit Vendor Advisory
https://github.com/dlemstra/Magick.NET/releases/tag/14.10.2	Product Release Notes

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:imagemagick:imagemagick::::::::
	cpe:2.3:a:imagemagick:imagemagick::::::::

Configuration 2 (hide)

cpe:2.3:a:dlemstra:magick.net:*:*:*:*:*:*:*:*

History

27 Feb 2026, 15:35

Type	Values Removed	Values Added
References	~~() https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-5vx3-wx4q-6cj8 -~~	() https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-5vx3-wx4q-6cj8 - Exploit, Vendor Advisory
References	~~() https://github.com/dlemstra/Magick.NET/releases/tag/14.10.2 -~~	() https://github.com/dlemstra/Magick.NET/releases/tag/14.10.2 - Product, Release Notes
CPE		cpe:2.3:a:imagemagick:imagemagick:::::::: cpe:2.3:a:dlemstra:magick.net::::::::
First Time		Dlemstra Imagemagick imagemagick Dlemstra magick.net Imagemagick

22 Jan 2026, 01:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-01-22 01:15

Updated : 2026-02-27 15:35

NVD link : CVE-2026-23952

Mitre link : CVE-2026-23952

CVE.ORG link : CVE-2026-23952

JSON object : View

Products Affected

imagemagick

imagemagick

dlemstra

magick.net

CWE

CWE-476

NULL Pointer Dereference

{"id": "CVE-2026-23952", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 2.8}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2026-01-22T01:15:52.790", "references": [{"url": "https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-5vx3-wx4q-6cj8", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/dlemstra/Magick.NET/releases/tag/14.10.2", "tags": ["Product", "Release Notes"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-476"}]}], "descriptions": [{"lang": "en", "value": "ImageMagick is free and open-source software used for editing and manipulating digital images. Versions 14.10.1 and below have a NULL pointer dereference vulnerability in the MSL (Magick Scripting Language) parser when processing <comment> tags before images are loaded. This can lead to DoS attack due to assertion failure (debug builds) or NULL pointer dereference (release builds). This issue is fixed in version 14.10.2."}], "lastModified": "2026-02-27T15:35:07.890", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:imagemagick:imagemagick:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B5479E5D-F05A-4418-9D2B-12523B300E2C", "versionEndExcluding": "6.9.13-38"}, {"criteria": "cpe:2.3:a:imagemagick:imagemagick:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F658C5B2-8A54-42DB-88AB-FB7D5FE1712C", "versionEndExcluding": "7.1.2-13", "versionStartIncluding": "7.0.0-0"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:dlemstra:magick.net:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "016CE8C8-345A-46C9-8E07-6B8E94D3D2FF", "versionEndExcluding": "14.10.2"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}