Skip to main content

Magick.NET CVE-2026-45358

MEDIUM
Out-of-bounds Read (CWE-125)
2026-05-18 https://github.com/ImageMagick/ImageMagick GHSA-cr6r-hmj8-pr7r
5.3
CVSS 3.1 · Vendor: https://github.com/ImageMagick/ImageMagick
Share

Severity by source

Vendor (https://github.com/ImageMagick/ImageMagick) PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
SUSE
3.3 MEDIUM
AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
Red Hat
5.3 MEDIUM
qualitative

Primary rating from Vendor (https://github.com/ImageMagick/ImageMagick).

CVSS VectorVendor: https://github.com/ImageMagick/ImageMagick

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

2
Source Code Evidence Fetched
May 18, 2026 - 18:36 vuln.today
Analysis Generated
May 18, 2026 - 18:36 vuln.today

DescriptionCVE.org

An of by one in the meta encoder could result in an out of bounds read of a single byte in the meta encoder.

AnalysisAI

Out-of-bounds single-byte read in Magick.NET's meta encoder affects all Q16 and Q16-HDRI NuGet package variants prior to version 14.13.1. An off-by-one indexing error in the meta encoder allows a remote unauthenticated attacker to read one byte beyond the allocated buffer boundary during metadata processing, resulting in limited memory disclosure. No public exploit code exists and this vulnerability is not listed in the CISA KEV catalog; however, the CVSS vector (AV:N/AC:L/PR:N/UI:N) indicates the flaw is network-reachable without authentication or user interaction, making any application that processes attacker-supplied images or metadata a viable target.

Technical ContextAI

Magick.NET is the .NET/NuGet binding library for ImageMagick, distributed in multiple architecture and color-depth variants (Q16, Q16-HDRI, x64, ARM64, x86, AnyCPU). The root cause is classified as CWE-125 (Out-of-bounds Read): an off-by-one arithmetic error in the meta encoder causes the read pointer or loop bound to exceed the valid buffer by exactly one index position, exposing a single byte of adjacent heap or stack memory. Such errors typically arise from incorrect use of less-than-or-equal comparisons instead of strict less-than in bounds checks, or from zero-indexed buffers being accessed with a one-based length value. The meta encoder processes image metadata (e.g., EXIF, IPTC, comment fields), meaning the flaw is reachable whenever metadata encoding is triggered. Affected CPEs span all major Magick.NET Q16 variants: pkg:nuget/magick.net-q16-anycpu, pkg:nuget/magick.net-q16-hdri-anycpu, and all architecture-specific permutations (arm64, x64, x86, OpenMP variants).

RemediationAI

Vendor-released patch: 14.13.1. Upgrade all affected Magick.NET NuGet packages (Q16 and Q16-HDRI variants, all architectures) to version 14.13.1 or later via NuGet package manager (dotnet add package Magick.NET-Q16-AnyCPU --version 14.13.1 or the equivalent for the specific variant in use). Full advisory details are available at https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-cr6r-hmj8-pr7r. If immediate patching is not possible, applications that accept images or metadata from untrusted sources should apply input validation and size restrictions on metadata fields before passing data to Magick.NET's encoder pipeline; however, this is a mitigating measure only and does not eliminate the underlying flaw. Disabling or sandboxing metadata processing operations (e.g., stripping all metadata before encoding with Magick.NET) would reduce exposure but may break application functionality dependent on EXIF or IPTC data handling.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise High Performance Computing 15 SP7 Affected
SUSE Linux Enterprise Module for Desktop Applications 15 SP7 Affected
SUSE Linux Enterprise Module for Development Tools 15 SP7 Affected
SUSE Linux Enterprise Module for Package Hub 15 SP7 Not-Affected

Share

CVE-2026-45358 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy