CVE-2026-23952

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

I

mageMagick is free and open-source software used for editing and manipulating digital images. Versions 14.10.1 and below have a NULL pointer dereference vulnerability in the MSL (Magick Scripting Language) parser when processing <comment> tags before images are loaded. This can lead to DoS attack due to assertion failure (debug builds) or NULL pointer dereference (release builds). This issue is fixed in version 14.10.2.

References

Link	Resource
https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-5vx3-wx4q-6cj8	Exploit Vendor Advisory
https://github.com/dlemstra/Magick.NET/releases/tag/14.10.2	Product Release Notes

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:imagemagick:imagemagick::::::::
	cpe:2.3:a:imagemagick:imagemagick::::::::

Configuration 2 (hide)

cpe:2.3:a:dlemstra:magick.net:*:*:*:*:*:*:*:*

History

27 Feb 2026, 15:35

Type	Values Removed	Values Added
First Time		Dlemstra Imagemagick imagemagick Imagemagick Dlemstra magick.net
CPE		cpe:2.3:a:imagemagick:imagemagick:::::::: cpe:2.3:a:dlemstra:magick.net::::::::
References	~~() https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-5vx3-wx4q-6cj8 -~~	() https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-5vx3-wx4q-6cj8 - Exploit, Vendor Advisory
References	~~() https://github.com/dlemstra/Magick.NET/releases/tag/14.10.2 -~~	() https://github.com/dlemstra/Magick.NET/releases/tag/14.10.2 - Product, Release Notes

22 Jan 2026, 01:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-01-22 01:15

Updated : 2026-02-27 15:35

NVD link : CVE-2026-23952

Mitre link : CVE-2026-23952

CVE.ORG link : CVE-2026-23952

JSON object : View

Products Affected

imagemagick

imagemagick

magick.net

CWE

CWE-476

NULL Pointer Dereference

{"id": "CVE-2026-23952", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 2.8}, {"type": "Primary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2026-01-22T01:15:52.790", "references": [{"url": "https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-5vx3-wx4q-6cj8", "tags": ["Exploit", "Vendor Advisory"], "source": "[email protected]"}, {"url": "https://github.com/dlemstra/Magick.NET/releases/tag/14.10.2", "tags": ["Product", "Release Notes"], "source": "[email protected]"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-476"}]}], "descriptions": [{"lang": "en", "value": "ImageMagick is free and open-source software used for editing and manipulating digital images. Versions 14.10.1 and below have a NULL pointer dereference vulnerability in the MSL (Magick Scripting Language) parser when processing <comment> tags before images are loaded. This can lead to DoS attack due to assertion failure (debug builds) or NULL pointer dereference (release builds). This issue is fixed in version 14.10.2."}], "lastModified": "2026-02-27T15:35:07.890", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:imagemagick:imagemagick:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B5479E5D-F05A-4418-9D2B-12523B300E2C", "versionEndExcluding": "6.9.13-38"}, {"criteria": "cpe:2.3:a:imagemagick:imagemagick:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F658C5B2-8A54-42DB-88AB-FB7D5FE1712C", "versionEndExcluding": "7.1.2-13", "versionStartIncluding": "7.0.0-0"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:dlemstra:magick.net:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "016CE8C8-345A-46C9-8E07-6B8E94D3D2FF", "versionEndExcluding": "14.10.2"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]"}