CVE-2026-28688: ImageMagick has heap use-after-free in the MSL encoder
A heap-use-after-free vulnerability exists in the MSL encoder, where a cloned image is destroyed twice. The MSL coder does not support writing MSL so the write capability has been removed.
SUMMARY: AddressSanitizer: heap-use-after-free MagickCore/image.c:1195 in DestroyImage
Shadow bytes around the buggy address:
0x0a4e80007450: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0a4e80007460: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0a4e80007470: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0a4e80007480: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0a4e80007490: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0a4e800074a0: fd fd fd fd fd fd fd fd fd fd[fd]fd fd fd fd fd
0x0a4e800074b0: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa
0x0a4e800074c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0a4e800074d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0a4e800074e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0a4e800074f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
References
Code Behaviors & Features
Detect and mitigate CVE-2026-28688 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →