Your RSA-2048 keys break in 2030. Find every one of them before attackers do.
.NET NuGet

GHSA-5vx3-wx4q-6cj8

MEDIUM

ImageMagick has a NULL pointer dereference in MSL parser via <comment> tag before image load

Also known asCVE-2026-23952
Published
Jan 21, 2026
Updated
Feb 16, 2026
Affected
19 pkgs
Patched
19 / 19
Exploits
None indexed

EPSS Exploitation Probability

via FIRST.org ↗
0.4%probability of exploitation in next 30 days
Lower Risk34th percentile+0.41%
0.00%0.31%0.62%0.93%0.0%0.4%Feb 26May 26Jun 26

EPSS (Exploit Prediction Scoring System) is a daily probability model maintained by FIRST.org. It estimates the likelihood a CVE will be exploited in production environments within the next 30 days, derived from real-world threat intelligence signals.

Blast Radius

19 pkgs affected
.NETMagick.NET-Q8-x64.NETMagick.NET-Q8-arm64.NETMagick.NET-Q8-x86.NETMagick.NET-Q8-OpenMP-x64.NETMagick.NET-Q8-OpenMP-arm64.NETMagick.NET-Q16-x64.NETMagick.NET-Q16-arm64.NETMagick.NET-Q16-x86+11 more

Real-time download stats are indexed for npm and PyPI packages. This vulnerability affects NuGet packages — download data is not available via public APIs for these ecosystems.

Description

Summary

NULL pointer dereference in MSL (Magick Scripting Language) parser when processing <comment> tag before any image is loaded.

Version

  • ImageMagick 7.x (tested on current main branch)
  • Commit: HEAD

Steps to Reproduce

Method 1: Using ImageMagick directly

magick MSL:poc.msl out.png

Method 2: Using OSS-Fuzz reproduce

python3 infra/helper.py build_fuzzers imagemagick
python3 infra/helper.py reproduce imagemagick msl_fuzzer poc.msl

Or run the fuzzer directly:

./msl_fuzzer poc.msl

Expected Behavior

ImageMagick should handle the malformed MSL gracefully and return an error message.

Actual Behavior

convert: MagickCore/property.c:297: MagickBooleanType DeleteImageProperty(Image *, const char *): Assertion `image != (Image *) NULL' failed.
Aborted

Root Cause Analysis

In coders/msl.c:7091, MSLEndElement() calls DeleteImageProperty() on msl_info->image[n] when handling the </comment> end tag without checking if the image is NULL:

if (LocaleCompare((const char *) tag,"comment") == 0 )
  {
    (void) DeleteImageProperty(msl_info->image[n],"comment");  // No NULL check
    ...
  }

When <comment> appears before any <read> operation, msl_info->image[n] is NULL, causing the assertion failure in DeleteImageProperty() at property.c:297.

Impact

  • DoS: Crash via assertion failure (debug builds) or NULL pointer dereference (release builds)
  • Affected: Any application using ImageMagick to process user-supplied MSL files

Fuzzer

This issue was discovered using a custom MSL fuzzer:

#include <cstdint>
#include <Magick++/Blob.h>
#include <Magick++/Image.h>
#include "utils.cc"

extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size)
{
  if (IsInvalidSize(Size))
    return(0);
  try
  {
    const Magick::Blob blob(Data, Size);
    Magick::Image image;
    image.magick("MSL");
    image.fileName("MSL:");
    image.read(blob);
  }
  catch (Magick::Exception)
  {
  }
  return(0);
}

This issue was found by Team FuzzingBrain @ Texas A&M University

Affected Packages

19 total 19 fixed
EcosystemPackageVulnerable rangeFix
.NETNuGetMagick.NET-Q8-x64all versions14.10.2
.NETNuGetMagick.NET-Q8-arm64all versions14.10.2
.NETNuGetMagick.NET-Q8-x86all versions14.10.2
.NETNuGetMagick.NET-Q8-OpenMP-x64all versions14.10.2
.NETNuGetMagick.NET-Q8-OpenMP-arm64all versions14.10.2
.NETNuGetMagick.NET-Q16-x64all versions14.10.2

Detection & mitigation playbook

Open-source dependency

  1. Detect

    Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for Magick.NET-Q8-x64. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.

  2. Fix

    Update Magick.NET-Q8-x64 to 14.10.2 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-5vx3-wx4q-6cj8 is resolved across your whole dependency graph.

  3. Workarounds

    If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.

  4. How O3 protects you

    O3 pinpoints whether GHSA-5vx3-wx4q-6cj8 is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.

Tailored to GHSA-5vx3-wx4q-6cj8. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.

Frequently Asked Questions

## Summary NULL pointer dereference in MSL (Magick Scripting Language) parser when processing `<comment>` tag before any image is loaded. ## Version - ImageMagick 7.x (tested on current main branch) - Commit: HEAD ## Steps to Reproduce ### Method 1: Using ImageMagick directly ```bash magick MSL:poc.msl out.png ``` ### Method 2: Using OSS-Fuzz reproduce ```bash python3 infra/helper.py build_fuzzers imagemagick python3 infra/helper.py reproduce imagemagick msl_fuzzer poc.msl ``` Or run the fuzzer directly: ```bash ./msl_fuzzer poc.msl ``` ## Expected Behavior ImageMagick should handle
O3 Security · Impact-Aware SCA

Is GHSA-5vx3-wx4q-6cj8 in your dependencies?

O3 detects GHSA-5vx3-wx4q-6cj8 across NuGet dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.

Scan my dependencies How O3 SCA works