CVE-2026-23952

Phantom Pixels: Null Pointer Dereference in ImageMagick's MSL Parser

Amit Schendel
Amit Schendel
Senior Security Researcher

Jan 21, 2026·5 min read·12 visits

Executive Summary (TL;DR)

ImageMagick's XML-based scripting language (MSL) attempts to modify image properties (like comments) even if no image has been loaded. This results in a classic NULL pointer dereference (CWE-476) and an immediate crash. Triggerable remotely if the victim processes untrusted MSL files.

A logic flaw in ImageMagick's MSL (Magick Scripting Language) parser allows for a Denial of Service via NULL pointer dereference. By supplying a malformed XML script that defines image attributes without an image, attackers can crash the process.

Official Patches

ImageMagickOfficial patch for ImageMagick 7
ImageMagickOfficial patch for ImageMagick 6

Fix Analysis (2)

Technical Appendix

CVSS Score
7.5/ 10
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Affected Systems

ImageMagick 7.x < 7.1.2-13ImageMagick 6.x < 6.9.13-38Debian BullseyeDebian BookwormDebian Sid

Affected Versions Detail

Product
Affected Versions
Fixed Version
ImageMagick
ImageMagick
< 7.1.2-137.1.2-13
ImageMagick
ImageMagick
< 6.9.13-386.9.13-38
AttributeDetail
CWE IDCWE-476
Attack VectorNetwork / Local (File Upload)
CVSS7.5 (High)
ImpactDenial of Service (DoS)
Vulnerability TypeNULL Pointer Dereference
Componentcoders/msl.c (MSLEndElement)

MITRE ATT&CK Mapping

T1499Endpoint Denial of Service
Impact
T1005Data from Local System
Collection
CWE-476
NULL Pointer Dereference

A NULL pointer dereference occurs when the application attempts to use a pointer that has a value of NULL, causing a crash or exit.

Known Exploits & Detection

Internal ResearchProof of Concept MSL script triggering the NULL dereference