CVE-2026-23874

Description

## Summary Stack overflow via infinite recursion in MSL (Magick Scripting Language) `<write>` command when writing to MSL format. ## Version - ImageMagick 7.x (tested on current main branch) - Commit: HEAD - Requires: libxml2 support (for MSL parsing) ## Steps to Reproduce ### Method 1: Using ImageMagick directly ```bash magick MSL:recursive.msl out.png ``` ### Method 2: Using OSS-Fuzz reproduce ```bash python3 infra/helper.py build_fuzzers imagemagick python3 infra/helper.py reproduce imagemagick msl_fuzzer recursive.msl ``` Or run the fuzzer directly: ```bash ./msl_fuzzer recursive.msl ``` ## Expected Behavior ImageMagick should handle recursive MSL references gracefully by detecting the loop and returning an error. ## Actual Behavior Stack overflow causes process crash: ``` AddressSanitizer:DEADLYSIGNAL ==PID==ERROR: AddressSanitizer: stack-overflow #0 MSLStartElement /src/imagemagick/coders/msl.c:7045 #1 xmlParseStartTag /src/libxml2/parser.c #2 xmlParseChunk /src/libxml2/parser.c:11273 #3 ProcessMSLScript /src/imagemagick/coders/msl.c:7405 #4 WriteMSLImage /src/imagemagick/coders/msl.c:7867 #5 WriteImage /src/imagemagick/MagickCore/constitute.c:1346 #6 MSLStartElement /src/imagemagick/coders/msl.c:7045 ... (infinite recursion, 287+ frames) ``` ## Root Cause Analysis In `coders/msl.c`, the `<write>` command handler in `MSLStartElement()` (line ~7045) calls `WriteImage()`. When the output filename specifies MSL format (`msl:filename`), `WriteMSLImage()` is called, which parses the MSL file again via `ProcessMSLScript()`. If the MSL file references itself (directly or indirectly), this creates an infinite recursion loop: ``` MSLStartElement() → WriteImage() → WriteMSLImage() → ProcessMSLScript() → xmlParseChunk() → MSLStartElement() → ... (infinite loop) ``` ## Impact - **DoS**: Guaranteed crash via stack exhaustion - **Affected**: Any application using ImageMagick to process user-supplied MSL files ## Additional Trigger Paths The `<read>` command can also trigger recursion: Indirect recursion is also possible (a.msl → b.msl → a.msl). ## Fuzzer This issue was discovered using a custom MSL fuzzer: ```cpp #include <cstdint> #include <Magick++/Blob.h> #include <Magick++/Image.h> #include "utils.cc" extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { if (IsInvalidSize(Size)) return(0); try { const Magick::Blob blob(Data, Size); Magick::Image image; image.magick("MSL"); image.fileName("MSL:"); image.read(blob); } catch (Magick::Exception) { } return(0); } ``` This issue was found by Team FuzzingBrain @ Texas A&M University

Affected packages (21)

• Debian/imagemagickfrom 0, < 8:6.9.11.60+dfsg-1.3+deb11u9
• Debian/imagemagickfrom 0, < 8:6.9.11.60+dfsg-1.6+deb12u6
• Debian/imagemagickfrom 0, < 8:6.9.11.60+dfsg-1.3+deb11u9
• NuGet/Magick.NET-Q16-AnyCPUfrom 0, < 14.10.2
• NuGet/Magick.NET-Q16-arm64from 0, < 14.10.2
• NuGet/Magick.NET-Q16-HDRI-AnyCPUfrom 0, < 14.10.2
• NuGet/Magick.NET-Q16-HDRI-arm64from 0, < 14.10.2
• NuGet/Magick.NET-Q16-HDRI-OpenMP-arm64from 0, < 14.10.2
• NuGet/Magick.NET-Q16-HDRI-OpenMP-x64from 0, < 14.10.2
• NuGet/Magick.NET-Q16-HDRI-x64from 0, < 14.10.2
• NuGet/Magick.NET-Q16-HDRI-x86from 0, < 14.10.2
• NuGet/Magick.NET-Q16-OpenMP-arm64from 0, < 14.10.2
• NuGet/Magick.NET-Q16-OpenMP-x64from 0, < 14.10.2
• NuGet/Magick.NET-Q16-x64from 0, < 14.10.2
• NuGet/Magick.NET-Q16-x86from 0, < 14.10.2
• NuGet/Magick.NET-Q8-AnyCPUfrom 0, < 14.10.2
• NuGet/Magick.NET-Q8-arm64from 0, < 14.10.2
• NuGet/Magick.NET-Q8-OpenMP-arm64from 0, < 14.10.2
• NuGet/Magick.NET-Q8-OpenMP-x64from 0, < 14.10.2
• NuGet/Magick.NET-Q8-x64from 0, < 14.10.2
• NuGet/Magick.NET-Q8-x86from 0, < 14.10.2

CVSS scores

References (5)

• ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-23874
• ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2026-23874
• PATCHhttps://github.com/ImageMagick/ImageMagick
• WEBhttps://github.com/dlemstra/Magick.NET/releases/tag/14.10.2
• WEBhttps://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-9vj4-wc7r-p844