{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40312", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-10T21:41:54.505Z", "datePublished": "2026-04-13T21:43:28.416Z", "dateUpdated": "2026-04-14T19:27:39.053Z"}, "containers": {"cna": {"title": "ImageMagick: Off-by-One in MSL decoder could result in crash", "problemTypes": [{"descriptions": [{"cweId": "CWE-193", "lang": "en", "description": "CWE-193: Off-by-one Error", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-5xg3-585r-9jh5", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-5xg3-585r-9jh5"}, {"name": "https://github.com/ImageMagick/ImageMagick/commit/2a06c7be3bba3326caf8b7a8d1fa2e0d4b88998d", "tags": ["x_refsource_MISC"], "url": "https://github.com/ImageMagick/ImageMagick/commit/2a06c7be3bba3326caf8b7a8d1fa2e0d4b88998d"}, {"name": "https://github.com/ImageMagick/ImageMagick/releases/tag/7.1.2-19", "tags": ["x_refsource_MISC"], "url": "https://github.com/ImageMagick/ImageMagick/releases/tag/7.1.2-19"}, {"name": "https://github.com/dlemstra/Magick.NET/releases/tag/14.12.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/dlemstra/Magick.NET/releases/tag/14.12.0"}], "affected": [{"vendor": "ImageMagick", "product": "ImageMagick", "versions": [{"version": "< 7.1.2-19", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-13T21:43:28.416Z"}, "descriptions": [{"lang": "en", "value": "ImageMagick is free and open-source software used for editing and manipulating digital images. In versions below 7.1.2-19, an off by one error in the MSL decoder could result in a crash when a malicous MSL file is read. This issue has been fixed in version 7.1.2-19."}], "source": {"advisory": "GHSA-5xg3-585r-9jh5", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-40312", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-14T19:06:40.524092Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T19:27:39.053Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-40312", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-14T19:06:40.524092Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T19:23:16.271Z"}}], "cna": {"title": "ImageMagick: Off-by-One in MSL decoder could result in crash", "source": {"advisory": "GHSA-5xg3-585r-9jh5", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.2, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "ImageMagick", "product": "ImageMagick", "versions": [{"status": "affected", "version": "< 7.1.2-19"}]}], "references": [{"url": "https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-5xg3-585r-9jh5", "name": "https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-5xg3-585r-9jh5", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/ImageMagick/ImageMagick/commit/2a06c7be3bba3326caf8b7a8d1fa2e0d4b88998d", "name": "https://github.com/ImageMagick/ImageMagick/commit/2a06c7be3bba3326caf8b7a8d1fa2e0d4b88998d", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/ImageMagick/ImageMagick/releases/tag/7.1.2-19", "name": "https://github.com/ImageMagick/ImageMagick/releases/tag/7.1.2-19", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/dlemstra/Magick.NET/releases/tag/14.12.0", "name": "https://github.com/dlemstra/Magick.NET/releases/tag/14.12.0", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "ImageMagick is free and open-source software used for editing and manipulating digital images. In versions below 7.1.2-19, an off by one error in the MSL decoder could result in a crash when a malicous MSL file is read. This issue has been fixed in version 7.1.2-19."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-193", "description": "CWE-193: Off-by-one Error"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-13T21:43:28.416Z"}}}, "cveMetadata": {"cveId": "CVE-2026-40312", "state": "PUBLISHED", "dateUpdated": "2026-04-14T19:27:39.053Z", "dateReserved": "2026-04-10T21:41:54.505Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-13T21:43:28.416Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "ImageMagick is free and open-source software used for editing and manipulating digital images. In versions below 7.1.2-19, an off by one error in the MSL decoder could result in a crash when a malicous MSL file is read. This issue has been fixed in version 7.1.2-19."}], "id": "CVE-2026-40312", "lastModified": "2026-04-13T22:16:30.113", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.5, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-13T22:16:30.113", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/ImageMagick/ImageMagick/commit/2a06c7be3bba3326caf8b7a8d1fa2e0d4b88998d"}, {"source": "security-advisories@github.com", "url": "https://github.com/ImageMagick/ImageMagick/releases/tag/7.1.2-19"}, {"source": "security-advisories@github.com", "url": "https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-5xg3-585r-9jh5"}, {"source": "security-advisories@github.com", "url": "https://github.com/dlemstra/Magick.NET/releases/tag/14.12.0"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-193"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "ImageMagick: Magick.NET: ImageMagick and Magick.NET: Denial of Service via malicious MSL file processing", "id": "2458044", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2458044"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.2", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-193", "details": ["A flaw was found in ImageMagick. A remote attacker could exploit an off-by-one error when processing a specially crafted malicious MSL (Magick Scripting Language) file. This vulnerability could lead to a denial of service (DoS) by causing the application to crash, making it unavailable to users."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2026-40312", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "ImageMagick", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "ImageMagick", "product_name": "Red Hat Enterprise Linux 7"}], "public_date": "2026-04-13T21:43:28Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-40312\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-40312\nhttps://github.com/ImageMagick/ImageMagick/commit/2a06c7be3bba3326caf8b7a8d1fa2e0d4b88998d\nhttps://github.com/ImageMagick/ImageMagick/releases/tag/7.1.2-19\nhttps://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-5xg3-585r-9jh5\nhttps://github.com/dlemstra/Magick.NET/releases/tag/14.12.0"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,7.1.2-19)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "ImageMagick", "source": "cna", "vendor": "ImageMagick"}, "product": "imagemagick", "vendor": "imagemagick"}], "analysis": {"en": {"generated_at": "2026-04-13T23:22:27.755625+00:00", "value": {"mitigation_remediation": ["Upgrade ImageMagick to\u00a07.1.2\u201119\u00a0or later.", "If using Magick.NET, upgrade to\u00a014.12.0\u00a0or later."], "summary": {"action": "Apply Update", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "The flaw affects the ImageMagick library in all releases prior to 7.1.2\u201119. Applications or services that rely on these older versions to load or transform images are susceptible. The fix is available in version 7.1.2\u201119 and later, and for the .NET binding Magick.NET the corresponding update is 14.12.0.", "description_and_impact": "The vulnerability is an off\u2011by\u2011one error in the MSL decoder of ImageMagick. When the library processes a malicious MSL file, a memory boundary is mis\u2011handled, which can cause the program to crash. The crash results in a denial of service for any process that uses ImageMagick to process images. This weakness is classified as CWE\u2011193.", "risk_and_exploitability": "The CVSS score of 6.2 indicates a moderate severity. No exploitation probability score is provided, and the vulnerability is not listed in CISA\u2019s KEV catalog. The likely attack vector is local or remote delivery of a crafted MSL image to an ImageMagick\u2011based service; an adversary could trigger the crash and force the target application to terminate or restart, causing a denial of service. Because the issue is triggered by image processing, any path that accepts untrusted images could be abused."}}}}, "created": "2026-04-14T16:17:05.373558+00:00", "updated": "2026-04-14T16:32:56.647424+00:00", "vendors": ["imagemagick", "imagemagick$PRODUCT$imagemagick"]}