Apr 14, 2026·4 min read·31 visits
An off-by-one array index in ImageMagick's MSL decoder causes an out-of-bounds memory increment, resulting in heap corruption and application crash when parsing crafted files.
ImageMagick versions prior to 7.1.2-19 contain an off-by-one vulnerability in the Magick Scripting Language (MSL) decoder. Processing a maliciously crafted MSL file triggers an out-of-bounds heap increment, leading to memory corruption and denial of service.
ImageMagick relies on various decoder modules to process numerous image formats and scripting languages. The Magick Scripting Language (MSL) module, implemented in coders/msl.c, handles XML-based scripts used to automate image processing tasks. This module exposes an attack surface when applications automatically parse user-supplied files.
A vulnerability tracked as CVE-2026-40312 exists within this MSL decoder component. The flaw is classified as an off-by-one error (CWE-193), which manifests as a heap-based buffer overflow (CWE-122). This occurs during the parsing of specific XML structures related to image groups.
The primary impact of this vulnerability is a denial of service. Exploitation corrupts heap memory structures, which reliably causes the ImageMagick process to crash when subsequent memory allocation or deallocation routines run. The vulnerability affects ImageMagick versions prior to 7.1.2-19 and Magick.NET versions prior to 14.12.0.
The root cause lies in the MSLPushImage function responsible for tracking images within defined groups. The decoder maintains a dynamic array of group_info structures inside the MSLInfo context object. This array is indexed sequentially as new groups are processed during MSL parsing.
A logic error occurs when the code attempts to increment the image count for the currently active group. The implementation uses the total count of groups (msl_info->number_groups) as the array index. In the C programming language, arrays are zero-indexed, meaning the highest valid index for an array of size N is N-1.
By accessing group_info[number_groups], the decoder targets the memory address immediately following the allocated group_info buffer. The subsequent increment operator (++) modifies this out-of-bounds memory location. This action corrupts data on the heap adjacent to the targeted buffer.
The vulnerability is located in coders/msl.c at line 272. The unpatched code directly uses number_groups as the index without subtracting one. This flaw is triggered whenever msl_info->number_groups is greater than zero during an image push operation.
The fix, introduced in commit 2a06c7be3bba3326caf8b7a8d1fa2e0d4b88998d, requires a single-line modification. The patch corrects the index offset by subtracting one from the number_groups variable.
--- a/coders/msl.c
+++ b/coders/msl.c
@@ -272,7 +272,7 @@ static ssize_t MSLPushImage(MSLInfo *msl_info,Image *image)
(msl_info->attributes[n] == (Image *) NULL))
ThrowFatalException(ResourceLimitFatalError,"MemoryAllocationFailed")
if (msl_info->number_groups != 0)
- msl_info->group_info[msl_info->number_groups].numImages++;
+ msl_info->group_info[msl_info->number_groups-1].numImages++;
return(n);
}This change ensures the increment operation targets the numImages member of the final valid element within the allocated group_info array. The fix completely resolves the off-by-one calculation, preventing the out-of-bounds heap access on this specific code path.
Exploitation requires an attacker to supply a crafted MSL file to an application utilizing ImageMagick. The vulnerability is local in nature (AV:L), meaning the malicious file must be delivered to and processed by the target system. No user interaction or elevated privileges are required once the parsing routine begins.
The out-of-bounds operation performs a blind increment on memory adjacent to the group_info array. This corrupts 1 to 8 bytes of heap metadata or adjacent application data, depending on the underlying architecture and compiler padding. When the glibc memory allocator (or equivalent) later attempts to read the corrupted chunk headers during free() or malloc(), it detects the inconsistency and aborts the process.
This behavior leads directly to a high availability impact (A:H), as defined by the CVSS 6.2 score. Applications relying on ImageMagick to process untrusted user uploads are susceptible to denial-of-service attacks. Currently, no public proof-of-concept exploits or active exploitation campaigns exist for this vulnerability.
The definitive remediation for CVE-2026-40312 is upgrading the ImageMagick binary and associated libraries. System administrators must deploy ImageMagick version 7.1.2-19 or later. Software developers integrating Magick.NET must update their NuGet package dependencies to version 14.12.0 or higher.
In environments where immediate patching is not feasible, administrators can disable the vulnerable MSL coder entirely. This is achieved by modifying the ImageMagick policy.xml configuration file to restrict access to the MSL module.
<policymap>
<policy domain="coder" rights="none" pattern="MSL" />
</policymap>Implementing this policy configuration instructs the ImageMagick core engine to reject any files identified as MSL scripts. This workaround provides complete protection against the vulnerability without requiring a binary update, though it breaks legitimate MSL script processing.
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H| Product | Affected Versions | Fixed Version |
|---|---|---|
ImageMagick ImageMagick Studio LLC | < 7.1.2-19 | 7.1.2-19 |
Magick.NET Magick.NET | < 14.12.0 | 14.12.0 |
| Attribute | Detail |
|---|---|
| CWE ID | CWE-193 |
| Attack Vector | Local |
| CVSS Score | 6.2 (Medium) |
| EPSS Score | 0.00012 |
| Impact | Denial of Service |
| Exploit Status | None |
| CISA KEV | Not Listed |
Off-by-one Error
An authentication bypass in the SiYuan personal knowledge management system before version 3.7.0 exposes a dynamic icon rendering endpoint. This endpoint processes client-supplied Go template directives. By submitting a crafted request, an unauthenticated remote attacker can leverage registered database template functions to execute arbitrary read-only SQL queries and exfiltrate workspace contents.
CVE-2026-54069 is a critical authentication bypass vulnerability in the SiYuan Note personal knowledge management system. The flaw is located in the HTTP server's middleware handling API authorization, which unconditionally trusts requests carrying a 'chrome-extension://' scheme in the Origin HTTP header, granting administrative access without validating API tokens.
CVE-2026-54089 is a critical authentication bypass vulnerability in File Browser affecting instances configured with proxy-based authentication. An unauthenticated remote attacker with direct network access can impersonate arbitrary users or register new accounts by spoofing configured HTTP headers.
The malicious Cargo package 'exploration' was uploaded to the crates.io registry. During compilation or package import, the crate executes code designed to establish an outbound TCP/HTTP connection, download an external second-stage binary, and execute the binary locally on the host machine. This creates an unauthenticated remote code execution vector impacting developer environments and continuous integration pipelines.
CVE-2026-54088 is a critical command injection vulnerability in File Browser prior to version 2.63.6. When Hook Authentication is enabled, the application interpolates unsanitized credentials into a shell command, allowing unauthenticated remote code execution.
An authenticated remote code execution vulnerability exists in NotrinosERP (versions up to and including 1.0.0) within the Human Resource Management (HRM) module. Users with employee management permissions can upload arbitrary file types, including PHP scripts, which are written directly to a web-accessible directory. This allows for arbitrary code execution in the context of the web-server user.