CVE-2026-23874

The Snake That Eats Its Own Tail: ImageMagick MSL Recursion DoS

Amit Schendel
Amit Schendel
Senior Security Researcher

Jan 21, 2026·6 min read·8 visits

Executive Summary (TL;DR)

ImageMagick's obscure XML-based scripting language (MSL) allows a script to write an output file that recursively invokes the MSL parser. By crafting a simple XML file that writes to itself or another MSL format, an attacker can trigger infinite recursion, exhausting the stack and crashing the application (DoS). Fixed in 7.1.2-13.

A stack overflow vulnerability in ImageMagick's Magick Scripting Language (MSL) parser allows for Denial of Service via infinite recursion.

Official Patches

ImageMagickGitHub Security Advisory

Technical Appendix

CVSS Score
5.5/ 10
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
EPSS Probability
0.01%
Top 98% most exploited

Affected Systems

ImageMagick < 7.1.2-13Magick.NET < 14.10.2Any web application processing user-supplied images with default ImageMagick policies

Affected Versions Detail

Product
Affected Versions
Fixed Version
ImageMagick
ImageMagick Studio LLC
< 7.1.2-137.1.2-13
Magick.NET
dlemstra
< 14.10.214.10.2
AttributeDetail
CWE IDCWE-674
Attack VectorLocal (File Upload)
CVSS5.5 (Medium)
ImpactDenial of Service (DoS)
Exploit StatusTrivial / PoC Available
EPSS Score0.00013

MITRE ATT&CK Mapping

T1499Endpoint Denial of Service
Impact
T1204User Execution
Execution
CWE-674
Uncontrolled Recursion

The software executes a function that calls itself (recursion) without properly ensuring that the recursion is bounded or that the exit condition is reachable.

Known Exploits & Detection

Internal ResearchTrivial recursive XML file triggering stack exhaustion.

Vulnerability Timeline

Vulnerability Discovered
2026-01-01
Patch Released in 7.1.2-13
2026-02-01

Subscribe to updates

Get the latest CVE analysis reports delivered to your inbox.