Skip to main content

Magick.NET CVE-2026-45359

MEDIUM
Out-of-bounds Read (CWE-125)
2026-05-18 https://github.com/ImageMagick/ImageMagick GHSA-vhrh-72hq-w8m7
5.7
CVSS 3.1 · Vendor: https://github.com/ImageMagick/ImageMagick
Share

Severity by source

Vendor (https://github.com/ImageMagick/ImageMagick) PRIMARY
5.7 MEDIUM
AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:L
SUSE
MEDIUM
qualitative
Red Hat
7.1 HIGH
qualitative

Primary rating from Vendor (https://github.com/ImageMagick/ImageMagick).

CVSS VectorVendor: https://github.com/ImageMagick/ImageMagick

CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:L
Attack Vector
Local
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
Low

Lifecycle Timeline

2
Source Code Evidence Fetched
May 18, 2026 - 18:36 vuln.today
Analysis Generated
May 18, 2026 - 18:36 vuln.today

DescriptionCVE.org

An invalid connected-components:keep-top value could result in a heap buffer over-read when performing the connected components operation.

AnalysisAI

Heap buffer over-read in Magick.NET's connected components operation exposes process memory when an attacker or untrusted input supplies a malformed connected-components:keep-top define value. All Magick.NET NuGet package variants (Q16, Q16-HDRI, OpenMP, arm64, x64, x86, AnyCPU) prior to version 14.13.1 are affected. Exploitation yields high confidentiality impact - enabling partial or full disclosure of heap memory contents - with low availability impact and no integrity impact; no public exploit and no CISA KEV listing have been identified at time of analysis.

Technical ContextAI

Magick.NET is a .NET wrapper library around the ImageMagick image processing engine, distributed across multiple NuGet package variants differentiated by color depth (Q16, Q16-HDRI), threading model (OpenMP), and CPU architecture (AnyCPU, x64, arm64, x86). The connected components operation segments an image into labeled regions; the connected-components:keep-top define is a user-supplied parameter that controls how many top components are retained. CWE-125 (Out-of-bounds Read) identifies the root cause: the library fails to validate this parameter before using it to index into a heap-allocated buffer, permitting a read beyond the buffer's allocated bounds. The over-read occurs on the heap - a more controlled memory region than the stack - making reliable arbitrary-offset reads feasible depending on heap layout, which can leak sensitive in-process data (e.g., keys, tokens, adjacent image data). The CVSS vector AV:L confirms the triggering input must reach the process locally (e.g., via a file path or piped input on the same host), while AC:H indicates exploitation requires favorable heap-layout conditions, reducing repeatability.

RemediationAI

Upgrade all Magick.NET NuGet packages to version 14.13.1 or later; this is the vendor-confirmed fixed release per GHSA-vhrh-72hq-w8m7 (https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-vhrh-72hq-w8m7). Update via NuGet package manager or dotnet add package Magick.NET-Q16-AnyCPU --version 14.13.1 (substituting the appropriate variant for your deployment). If immediate patching is not possible, apply the following compensating controls: restrict or sanitize the connected-components:keep-top define value at the application layer before passing it to Magick.NET, rejecting any non-integer or out-of-range values - this eliminates the invalid input pathway without requiring a library update, though it adds application-layer validation burden. Additionally, isolate image-processing workloads in sandboxed or containerized environments with minimal process privileges to limit the impact of any heap memory disclosure. Do not rely on OS-level ASLR alone as a sufficient control given the local attack vector.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise High Performance Computing 15 SP7 Affected
SUSE Linux Enterprise Module for Desktop Applications 15 SP7 Affected
SUSE Linux Enterprise Module for Development Tools 15 SP7 Affected
SUSE Linux Enterprise Module for Package Hub 15 SP7 Not-Affected

Share

CVE-2026-45359 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy