What is the severity of CVE-2026-23874?

CVE-2026-23874 has a CVSS v3 score of 5.5, which is classified as Medium severity.

Is there an exploit available for CVE-2026-23874?

No known public exploits are currently available for CVE-2026-23874.

Is there a patch available for CVE-2026-23874?

Yes, patches are available for CVE-2026-23874. Check the vendor advisories for update instructions.

CVE-2026-23874 - CVE Details, Severity, and Analysis

Published: January 26, 2026

Last updated:20 hours ago (January 26, 2026)

Updated January 26, 2026

no major risk factors

Summary

Stack overflow via infinite recursion in MSL (Magick Scripting Language) <write> command when writing to MSL format.

Version

ImageMagick 7.x (tested on current main branch)
Commit: HEAD
Requires: libxml2 support (for MSL parsing)

Steps to Reproduce

Method 1: Using ImageMagick directly

magick MSL:recursive.msl out.png

Method 2: Using OSS-Fuzz reproduce

python3 infra/helper.py build_fuzzers imagemagick
python3 infra/helper.py reproduce imagemagick msl_fuzzer recursive.msl

Or run the fuzzer directly:

./msl_fuzzer recursive.msl

Expected Behavior

ImageMagick should handle recursive MSL references gracefully by detecting the loop and returning an error.

Actual Behavior

Stack overflow causes process crash:

AddressSanitizer:DEADLYSIGNAL
==PID==ERROR: AddressSanitizer: stack-overflow
    #0 MSLStartElement /src/imagemagick/coders/msl.c:7045
    #1 xmlParseStartTag /src/libxml2/parser.c
    #2 xmlParseChunk /src/libxml2/parser.c:11273
    #3 ProcessMSLScript /src/imagemagick/coders/msl.c:7405
    #4 WriteMSLImage /src/imagemagick/coders/msl.c:7867
    #5 WriteImage /src/imagemagick/MagickCore/constitute.c:1346
    #6 MSLStartElement /src/imagemagick/coders/msl.c:7045
    ... (infinite recursion, 287+ frames)

Root Cause Analysis

In coders/msl.c, the <write> command handler in MSLStartElement() (line ~7045) calls WriteImage(). When the output filename specifies MSL format (msl:filename), WriteMSLImage() is called, which parses the MSL file again via ProcessMSLScript().

If the MSL file references itself (directly or indirectly), this creates an infinite recursion loop:

MSLStartElement() → WriteImage() → WriteMSLImage() → ProcessMSLScript()
    → xmlParseChunk() → MSLStartElement() → ... (infinite loop)

Impact

DoS: Guaranteed crash via stack exhaustion
Affected: Any application using ImageMagick to process user-supplied MSL files

Additional Trigger Paths

The <read> command can also trigger recursion:

Indirect recursion is also possible (a.msl → b.msl → a.msl).

Fuzzer

This issue was discovered using a custom MSL fuzzer:

#include <cstdint>
#include <Magick++/Blob.h>
#include <Magick++/Image.h>
#include "utils.cc"

extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size)
{
  if (IsInvalidSize(Size))
    return(0);
  try
  {
    const Magick::Blob blob(Data, Size);
    Magick::Image image;
    image.magick("MSL");
    image.fileName("MSL:");
    image.read(blob);
  }
  catch (Magick::Exception)
  {
  }
  return(0);
}

This issue was found by Team FuzzingBrain @ Texas A&M University

Strobes VI. (2026). CVE-2026-23874 - CVE Details and Analysis. Strobes VI. Retrieved January 27, 2026, from https://vi.strobes.co/cve/CVE-2026-23874