Skip to main content

Magick.NET CVE-2026-45664

MEDIUM
Uncontrolled Resource Consumption (CWE-400)
2026-05-18 https://github.com/ImageMagick/ImageMagick GHSA-g5mf-wqq5-vwg6
5.3
CVSS 3.1 · Vendor: https://github.com/ImageMagick/ImageMagick
Share

Severity by source

Vendor (https://github.com/ImageMagick/ImageMagick) PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
SUSE
MEDIUM
qualitative
Red Hat
7.5 HIGH
qualitative

Primary rating from Vendor (https://github.com/ImageMagick/ImageMagick).

CVSS VectorVendor: https://github.com/ImageMagick/ImageMagick

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

2
Source Code Evidence Fetched
May 18, 2026 - 21:34 vuln.today
Analysis Generated
May 18, 2026 - 21:34 vuln.today

DescriptionCVE.org

Because of a missing check in the MNG coder it would be possible to read more images than the list limit policy would allow resulting in excessive resource use.

AnalysisAI

Denial-of-service via policy bypass in Magick.NET's MNG coder allows remote unauthenticated attackers to exhaust server resources by submitting crafted MNG image files that circumvent the library's configured image list limit. All Magick.NET NuGet package variants (Q16, Q16-HDRI, and OpenMP/ARM64/x64/x86 flavors) below version 14.13.1 are confirmed vulnerable. No public exploit exists and the vulnerability is not in CISA KEV at time of analysis, but the network-accessible, zero-authentication attack surface makes this an accessible DoS primitive for any application accepting user-supplied image input.

Technical ContextAI

MNG (Multiple-image Network Graphics) is a PNG-based container format supporting animated or multi-frame image sequences. ImageMagick and its .NET wrapper Magick.NET implement a 'list limit' security policy - configurable via policy.xml - designed to cap the number of images a single file can inject into the processing pipeline, bounding memory and CPU consumption. CWE-400 (Uncontrolled Resource Consumption) is the root cause: the MNG coder lacks a bounds check that enforces this policy at parse time, meaning a crafted MNG file embedding more image frames than the limit permits bypasses the control entirely. The affected packages span all NuGet distribution variants of Magick.NET (pkg:nuget/magick.net-q16-anycpu, magick.net-q16-hdri-anycpu, q16-hdri-openmp-arm64, q16-hdri-openmp-x64, q16-hdri-arm64, q16-hdri-x64, q16-hdri-x86, q16-openmp-arm64, q16-openmp-x64, q16-arm64), confirming this is a library-level defect propagated across all build targets.

RemediationAI

Upgrade all Magick.NET NuGet packages to version 14.13.1 or later - this is the vendor-released patch confirmed by GitHub Security Advisory GHSA-g5mf-wqq5-vwg6 (https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-g5mf-wqq5-vwg6). If immediate upgrade is not feasible, the most targeted workaround is to block MNG file processing at the application layer by rejecting files with the MNG magic bytes (hex 8A 4D 4E 47 0D 0A 1A 0A) or the .mng extension before they reach Magick.NET - this eliminates the attack surface entirely with no side effects other than loss of MNG support. A secondary compensating control is to impose OS-level resource limits (Linux cgroups, ulimits, or Windows Job Objects) on the image processing worker to cap memory and CPU per process, which bounds DoS blast radius but does not prevent the policy bypass. Relying solely on ImageMagick policy.xml list limits is explicitly insufficient given the nature of this bypass.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise High Performance Computing 15 SP7 Affected
SUSE Linux Enterprise Module for Desktop Applications 15 SP7 Affected
SUSE Linux Enterprise Module for Development Tools 15 SP7 Affected
SUSE Linux Enterprise Module for Package Hub 15 SP7 Not-Affected

Share

CVE-2026-45664 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy