Skip to main content

Magick.NET CVE-2026-42326

MEDIUM
Out-of-bounds Read (CWE-125)
2026-05-18 https://github.com/ImageMagick/ImageMagick GHSA-7wff-wpr6-vmhm
5.1
CVSS 3.1 · Vendor: https://github.com/ImageMagick/ImageMagick
Share

Severity by source

Vendor (https://github.com/ImageMagick/ImageMagick) PRIMARY
5.1 MEDIUM
AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L
SUSE
4.4 MEDIUM
AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L
Red Hat
5.1 MEDIUM
qualitative

Primary rating from Vendor (https://github.com/ImageMagick/ImageMagick).

CVSS VectorVendor: https://github.com/ImageMagick/ImageMagick

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
Low

Lifecycle Timeline

2
Source Code Evidence Fetched
May 18, 2026 - 16:30 vuln.today
Analysis Generated
May 18, 2026 - 16:30 vuln.today

DescriptionCVE.org

When writing an IPTC output file a malicious input file could cause an out of bounds read of a single byte.

AnalysisAI

Out-of-bounds single-byte heap read in Magick.NET's IPTC encoder exposes all NuGet package variants (Q16, Q16-HDRI, multi-architecture builds) before version 14.13.1 to limited confidentiality and availability impact when processing a crafted input file. The flaw resides in the IPTC output writing pathway: supplying a malicious image file triggers a one-byte over-read of the heap buffer, classified as CWE-125. No active exploitation has been identified (not in CISA KEV), no public exploit code is known, and the local attack vector (AV:L) materially constrains realistic exposure.

Technical ContextAI

Magick.NET is the official .NET wrapper for the ImageMagick image processing engine, distributed across multiple NuGet packages differentiated by color quantization depth (Q16), HDR support (HDRI), OpenMP parallelism, and target architecture (x64, x86, arm64, AnyCPU). The IPTC (International Press Telecommunications Council) standard defines a binary metadata format embedded within image files. CWE-125 (Out-of-Bounds Read) arises when the IPTC encoder, during output file construction, computes an incorrect buffer boundary and reads one byte beyond the allocated heap region. This class of defect typically results from an off-by-one error in length calculation or pointer arithmetic. Affected CPEs span all Magick.NET NuGet variants: magick.net-q16-anycpu, magick.net-q16-hdri-anycpu, magick.net-q16-hdri-openmp-arm64, magick.net-q16-hdri-openmp-x64, magick.net-q16-hdri-arm64, magick.net-q16-hdri-x64, magick.net-q16-hdri-x86, magick.net-q16-openmp-arm64, magick.net-q16-openmp-x64, and magick.net-q16-arm64, all versions prior to 14.13.1.

RemediationAI

Upgrade all Magick.NET NuGet package references to version 14.13.1 or later, confirmed as the fix version in GitHub Security Advisory GHSA-7wff-wpr6-vmhm (https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-7wff-wpr6-vmhm). Update the package reference in project files (e.g., change <PackageReference Include='Magick.NET-Q16-AnyCPU' Version='...' /> to Version='14.13.1') and run dotnet restore. For applications that cannot immediately update, a compensating control is to sanitize or reject input files before IPTC processing: disable IPTC metadata writing for untrusted inputs, or strip metadata from files at ingestion using a separate validation step prior to invoking Magick.NET's IPTC encoder. The trade-off is that stripping metadata may affect legitimate workflows that depend on IPTC data. No patch versioning conflicts are expected given this is a point release of the NuGet packages.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise High Performance Computing 15 SP7 Affected
SUSE Linux Enterprise Module for Desktop Applications 15 SP7 Affected
SUSE Linux Enterprise Module for Development Tools 15 SP7 Affected
SUSE Linux Enterprise Module for Package Hub 15 SP7 Not-Affected

Share

CVE-2026-42326 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy