CVE-2026-26983 — NULL Pointer Dereference in Imagemagick

CWE-476 — NULL Pointer Dereference CWE-416 — Use After Free CWE-825 — Expired Pointer Dereference8 documents7 sources

Severity

5.3MEDIUMNVD

EPSS

0.0%

top 96.35%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Imagemagick

Timeline

PublishedFeb 24

Description

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, the MSL interpreter crashes when processing a invalid `` element that causes it to use an image after it has been freed. Versions 7.1.2-15 and 6.9.13-40 contain a patch.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:LExploitability: 3.9 | Impact: 1.4

Affected Packages3 packages

▶CVEListV5imagemagick/imagemagick< 6.9.13-40+1

▶NVDimagemagick/imagemagick7.0.0-0 — 7.1.2-15+1

▶Debianimagemagick/imagemagick< 8:7.1.1.43+dfsg1-1+deb13u6+1

🔴Vulnerability Details

OSV

CVE-2026-26983: ImageMagick is free and open-source software used for editing and manipulating digital images↗2026-02-24

▶

CVEList

ImageMagick: Invalid MSL <map> can result in a use after free↗2026-02-24

▶

GHSA

ImageMagick: Invalid MSL <map> can result in a use after free↗2026-02-24

▶

OSV

ImageMagick: Invalid MSL <map> can result in a use after free↗2026-02-24

▶

📋Vendor Advisories

Red Hat

ImageMagick: ImageMagick: Denial of Service via invalid MSL map element processing↗2026-02-24

▶

Debian

CVE-2026-26983: imagemagick - ImageMagick is free and open-source software used for editing and manipulating d...↗2026

▶

🕵️Threat Intelligence

Wiz

CVE-2026-26983 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶