Skip to main content

Magick.NET CVE-2026-45624

MEDIUM
Out-of-bounds Read (CWE-125)
2026-05-18 https://github.com/ImageMagick/ImageMagick GHSA-pfvh-m9xv-8966
5.1
CVSS 3.1 · Vendor: https://github.com/ImageMagick/ImageMagick
Share

Severity by source

Vendor (https://github.com/ImageMagick/ImageMagick) PRIMARY
5.1 MEDIUM
AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L
SUSE
MEDIUM
qualitative
Red Hat
4.4 MEDIUM
qualitative

Primary rating from Vendor (https://github.com/ImageMagick/ImageMagick).

CVSS VectorVendor: https://github.com/ImageMagick/ImageMagick

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
Low

Lifecycle Timeline

2
Source Code Evidence Fetched
May 18, 2026 - 21:34 vuln.today
Analysis Generated
May 18, 2026 - 21:34 vuln.today

DescriptionCVE.org

When performing a polynomial distortion an out of bounds over-read of 24 bytes can occur when specifying specific arguments.

AnalysisAI

Out-of-bounds heap over-read in Magick.NET's polynomial distortion operation exposes limited heap memory and can trigger a crash when processing a specially crafted image with specific distortion arguments. Affected are all Magick.NET NuGet package variants (Q16, Q16-HDRI, across AnyCPU, arm64, x64, x86, and OpenMP builds) prior to version 14.13.1. The CVSS vector scores this as a local, low-complexity issue with low confidentiality and availability impact; no public exploit code exists and it is not listed in the CISA KEV catalog at time of analysis.

Technical ContextAI

Magick.NET is the .NET wrapper library for ImageMagick, distributed via NuGet in multiple build variants targeting different architectures (AnyCPU, arm64, x64, x86) and quantum depths (Q16, Q16-HDRI, with optional OpenMP acceleration). The vulnerable code path resides in the polynomial distortion operation, where insufficient bounds checking on caller-supplied arguments allows a read of up to 24 bytes beyond the end of an allocated heap buffer - classified as CWE-125 (Out-of-bounds Read). The GHSA advisory headline refers to a 'Heap Buffer Over-Read of 4 bytes' while the CVE description and advisory body specify 24 bytes; this discrepancy may reflect different measurement points or a title error in the advisory. The over-read can expose adjacent heap contents (information disclosure) or, depending on heap layout, dereference unmapped memory and crash the process (availability impact). All ten NuGet package variants listed in the CPE data share the same underlying ImageMagick distortion code and are equally affected.

RemediationAI

Upgrade all affected Magick.NET NuGet packages to version 14.13.1 or later; this is the vendor-confirmed fixed release per GHSA-pfvh-m9xv-8966 (https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-pfvh-m9xv-8966). Update the package reference in your project file (e.g., change <PackageReference Include="Magick.NET-Q16-AnyCPU" Version="x.x.x" /> to Version 14.13.1 or use a floating >=14.13.1 constraint) and rebuild. If an immediate upgrade is not possible, the most effective compensating control is to validate and reject image inputs before invoking polynomial distortion operations - specifically, enforce argument count and value bounds on distortion parameters at the application layer before passing them to Magick.NET. Disabling the polynomial distortion feature entirely (if not required by the application) eliminates the attack surface with no impact on other operations. There are no known side effects from the upgrade itself.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise High Performance Computing 15 SP7 Affected
SUSE Linux Enterprise Module for Desktop Applications 15 SP7 Affected
SUSE Linux Enterprise Module for Development Tools 15 SP7 Affected
SUSE Linux Enterprise Module for Package Hub 15 SP7 Not-Affected

Share

CVE-2026-45624 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy