Skip to main content

Magick.NET CVE-2026-45031

MEDIUM
Uncontrolled Resource Consumption (CWE-400)
2026-05-18 https://github.com/ImageMagick/ImageMagick GHSA-cwpj-h54c-xjpx
5.3
CVSS 3.1 · Vendor: https://github.com/ImageMagick/ImageMagick
Share

Severity by source

Vendor (https://github.com/ImageMagick/ImageMagick) PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
SUSE
4.3 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
Red Hat
7.5 HIGH
qualitative

Primary rating from Vendor (https://github.com/ImageMagick/ImageMagick).

CVSS VectorVendor: https://github.com/ImageMagick/ImageMagick

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

2
Source Code Evidence Fetched
May 18, 2026 - 18:34 vuln.today
Analysis Generated
May 18, 2026 - 18:34 vuln.today

DescriptionCVE.org

Due to a missing check in the PSD decoder it would be possible to bypass the list-length resource policy when decoding a PSD image. Other security limits would still apply.

AnalysisAI

Policy bypass in Magick.NET's PSD decoder allows remote unauthenticated attackers to circumvent the configured list-length resource policy when processing Photoshop Document (PSD) images, resulting in partial availability impact (CWE-400 uncontrolled resource consumption). All Magick.NET NuGet package variants prior to version 14.13.1 are affected across multiple architectures and quantization depths. No public exploit identified at time of analysis and no CISA KEV listing exists; however, the CVSS vector (AV:N/AC:L/PR:N/UI:N) indicates that any internet-exposed application accepting PSD uploads is reachable without authentication or special conditions.

Technical ContextAI

Magick.NET is the .NET wrapper around ImageMagick, distributed as a family of NuGet packages differentiated by quantization depth (Q16, Q16-HDRI), architecture (x64, arm64, x86, AnyCPU), and OpenMP support. ImageMagick implements a resource policy system that allows operators to cap consumption of resources such as memory, disk, time, and list-length during image decoding. The PSD (Photoshop Document) format decoder is missing a validation check against the list-length policy gate, meaning the decoder can process list structures of unbounded length relative to what the policy is intended to enforce. The root cause class is CWE-400 (Uncontrolled Resource Consumption): by omitting the policy check, the decoder allows image data to drive resource usage beyond administrator-defined limits. The advisory notes that other security limits (such as memory or pixel caps) remain in effect, which constrains - but does not eliminate - the potential for resource exhaustion.

RemediationAI

Vendor-released patch: 14.13.1. Upgrade all Magick.NET NuGet package references to version 14.13.1 or later via NuGet Package Manager or by updating the version constraint in your project file (e.g., <PackageReference Include="Magick.NET-Q16-AnyCPU" Version="14.13.1" />). The advisory is published at https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-cwpj-h54c-xjpx. If immediate patching is not feasible, implement upstream file-type filtering to reject PSD uploads before they reach the Magick.NET decoder - note this requires reliable MIME or magic-byte detection rather than extension checks alone, and may impact legitimate PSD workflows. Alternatively, reduce the blast radius by running image processing in a resource-capped subprocess or container with strict memory and CPU limits, compensating for the bypassed list-length policy; this adds operational complexity but does not eliminate the vulnerability.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise High Performance Computing 15 SP7 Affected
SUSE Linux Enterprise Module for Desktop Applications 15 SP7 Affected
SUSE Linux Enterprise Module for Development Tools 15 SP7 Affected
SUSE Linux Enterprise Module for Package Hub 15 SP7 Not-Affected

Share

CVE-2026-45031 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy