CVE-2026-40312: Off-by-One Heap Memory Corruption in ImageMagick MSL Decoder

ImageMagick relies on various decoder modules to process numerous image formats and scripting languages. The Magick Scripting Language (MSL) module, implemented in coders/msl.c, handles XML-based scripts used to automate image processing tasks. This module exposes an attack surface when applications automatically parse user-supplied files.

A vulnerability tracked as CVE-2026-40312 exists within this MSL decoder component. The flaw is classified as an off-by-one error (CWE-193), which manifests as a heap-based buffer overflow (CWE-122). This occurs during the parsing of specific XML structures related to image groups.

The primary impact of this vulnerability is a denial of service. Exploitation corrupts heap memory structures, which reliably causes the ImageMagick process to crash when subsequent memory allocation or deallocation routines run. The vulnerability affects ImageMagick versions prior to 7.1.2-19 and Magick.NET versions prior to 14.12.0.

The root cause lies in the MSLPushImage function responsible for tracking images within defined groups. The decoder maintains a dynamic array of group_info structures inside the MSLInfo context object. This array is indexed sequentially as new groups are processed during MSL parsing.

A logic error occurs when the code attempts to increment the image count for the currently active group. The implementation uses the total count of groups (msl_info->number_groups) as the array index. In the C programming language, arrays are zero-indexed, meaning the highest valid index for an array of size N is N-1.

By accessing group_info[number_groups], the decoder targets the memory address immediately following the allocated group_info buffer. The subsequent increment operator (++) modifies this out-of-bounds memory location. This action corrupts data on the heap adjacent to the targeted buffer.

The vulnerability is located in coders/msl.c at line 272. The unpatched code directly uses number_groups as the index without subtracting one. This flaw is triggered whenever msl_info->number_groups is greater than zero during an image push operation.

The fix, introduced in commit 2a06c7be3bba3326caf8b7a8d1fa2e0d4b88998d, requires a single-line modification. The patch corrects the index offset by subtracting one from the number_groups variable.

--- a/coders/msl.c
+++ b/coders/msl.c
@@ -272,7 +272,7 @@ static ssize_t MSLPushImage(MSLInfo *msl_info,Image *image)
       (msl_info->attributes[n] == (Image *) NULL))
     ThrowFatalException(ResourceLimitFatalError,"MemoryAllocationFailed")
   if (msl_info->number_groups != 0)
-    msl_info->group_info[msl_info->number_groups].numImages++;
+    msl_info->group_info[msl_info->number_groups-1].numImages++;
   return(n);
 }

This change ensures the increment operation targets the numImages member of the final valid element within the allocated group_info array. The fix completely resolves the off-by-one calculation, preventing the out-of-bounds heap access on this specific code path.

Exploitation requires an attacker to supply a crafted MSL file to an application utilizing ImageMagick. The vulnerability is local in nature (AV:L), meaning the malicious file must be delivered to and processed by the target system. No user interaction or elevated privileges are required once the parsing routine begins.

The out-of-bounds operation performs a blind increment on memory adjacent to the group_info array. This corrupts 1 to 8 bytes of heap metadata or adjacent application data, depending on the underlying architecture and compiler padding. When the glibc memory allocator (or equivalent) later attempts to read the corrupted chunk headers during free() or malloc(), it detects the inconsistency and aborts the process.

This behavior leads directly to a high availability impact (A:H), as defined by the CVSS 6.2 score. Applications relying on ImageMagick to process untrusted user uploads are susceptible to denial-of-service attacks. Currently, no public proof-of-concept exploits or active exploitation campaigns exist for this vulnerability.

The definitive remediation for CVE-2026-40312 is upgrading the ImageMagick binary and associated libraries. System administrators must deploy ImageMagick version 7.1.2-19 or later. Software developers integrating Magick.NET must update their NuGet package dependencies to version 14.12.0 or higher.

In environments where immediate patching is not feasible, administrators can disable the vulnerable MSL coder entirely. This is achieved by modifying the ImageMagick policy.xml configuration file to restrict access to the MSL module.

<policymap>
  <policy domain="coder" rights="none" pattern="MSL" />
</policymap>

Implementing this policy configuration instructs the ImageMagick core engine to reject any files identified as MSL scripts. This workaround provides complete protection against the vulnerability without requiring a binary update, though it breaks legitimate MSL script processing.