Skip to main content

ImageMagick CVE-2026-46520

HIGH
Heap-based Buffer Overflow (CWE-122)
2026-05-18 https://github.com/ImageMagick/ImageMagick GHSA-36wm-hprc-mcf5
7.5
CVSS 3.1 · Vendor: https://github.com/ImageMagick/ImageMagick
Share

Severity by source

Vendor (https://github.com/ImageMagick/ImageMagick) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
SUSE
5.5 MEDIUM
AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Red Hat
7.5 HIGH
qualitative

Primary rating from Vendor (https://github.com/ImageMagick/ImageMagick).

CVSS VectorVendor: https://github.com/ImageMagick/ImageMagick

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

2
Source Code Evidence Fetched
May 18, 2026 - 21:31 vuln.today
Analysis Generated
May 18, 2026 - 21:31 vuln.today

DescriptionCVE.org

When reading multiple images with different dimensions an out of bounds heap write can occur.

AnalysisAI

Heap-based buffer over-write in ImageMagick's IPL decoder (exposed through Magick.NET bindings) can be triggered when the library reads a multi-image stream whose frames have differing dimensions, leading to memory corruption and process crash. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/C:N/I:N/A:H) signals an availability-only impact reachable without authentication, and no public exploit identified at time of analysis. Risk is amplified by how widely ImageMagick is embedded in image-processing pipelines that accept untrusted user uploads.

Technical ContextAI

ImageMagick's IPL (Image Processing Language) coder parses a container that can hold multiple raster frames in a single file. The flaw is a CWE-122 heap-based buffer overflow: when successive frames declare different width/height than the first, the decoder writes pixel data into a heap allocation sized for the original dimensions, overrunning the buffer. The advisory targets the Magick.NET NuGet packages (Q16 and Q16-HDRI variants across AnyCPU, x64, x86, arm64, and OpenMP builds), which wrap the native MagickCore library where the underlying IPL coder lives.

RemediationAI

Vendor-released patch: 14.13.1 - upgrade all referenced Magick.NET-Q16 and Magick.NET-Q16-HDRI NuGet packages to 14.13.1 or later as the primary fix, following the upstream advisory at https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-36wm-hprc-mcf5. Where immediate upgrade is not possible, disable the IPL coder in policy.xml with a line such as <policy domain="coder" rights="none" pattern="IPL" /> to refuse decoding of this format entirely (trade-off: any legitimate IPL workloads will break); additionally constrain attacker-controlled inputs by enforcing allow-lists of accepted formats at the application layer before handing bytes to ImageMagick, and apply MagickCore resource limits (memory, width, height, area) so a successful crash at least contains blast radius to a single worker process.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise High Performance Computing 15 SP7 Affected
SUSE Linux Enterprise Module for Desktop Applications 15 SP7 Affected
SUSE Linux Enterprise Module for Development Tools 15 SP7 Affected
SUSE Linux Enterprise Module for Package Hub 15 SP7 Not-Affected

Share

CVE-2026-46520 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy