Skip to main content

Magick.NET CVE-2026-46521

MEDIUM
Incorrect Calculation of Buffer Size (CWE-131)
2026-05-18 https://github.com/ImageMagick/ImageMagick GHSA-jcqp-6r6f-3mfx
5.5
CVSS 3.1 · Vendor: https://github.com/ImageMagick/ImageMagick
Share

Severity by source

Vendor (https://github.com/ImageMagick/ImageMagick) PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from Vendor (https://github.com/ImageMagick/ImageMagick).

CVSS VectorVendor: https://github.com/ImageMagick/ImageMagick

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

2
Source Code Evidence Fetched
May 18, 2026 - 21:33 vuln.today
Analysis Generated
May 18, 2026 - 21:33 vuln.today

DescriptionCVE.org

When using LZMA compression in the MIFF encoder an out of bounds write can occur due to a missing check.

AnalysisAI

Heap buffer over-write in Magick.NET's MIFF encoder triggers an out-of-bounds write when LZMA compression is active, due to a missing buffer size check (CWE-131). All Magick.NET NuGet package variants prior to version 14.13.1 are affected across multiple architectures (AnyCPU, x64, x86, arm64) and depth configurations (Q16, Q16-HDRI, OpenMP). An attacker who can deliver a crafted MIFF file for local processing can crash the consuming application, resulting in a complete availability impact. No public exploit code or CISA KEV listing exists at time of analysis, limiting real-world severity despite the heap write primitive.

Technical ContextAI

Magick.NET is the official .NET wrapper for the ImageMagick image processing engine, distributed as multiple NuGet packages differentiated by color depth (Q16, Q16-HDRI), CPU architecture (AnyCPU, x64, x86, arm64), and threading model (standard, OpenMP). The vulnerability resides in the MIFF (Magick Image File Format) encoder, specifically on the code path that applies LZMA (Lempel-Ziv-Markov chain Algorithm) compression. CWE-131 (Incorrect Calculation of Buffer Size) identifies the root cause: a missing validation check means the encoder does not correctly calculate or enforce the destination buffer size before writing compressed output, resulting in a heap buffer over-write. LZMA compression is an optional but legitimate compression codec supported by MIFF. The bug is triggered during encoding (write path), not decoding, meaning the vulnerable path executes when the library is writing/saving an image with LZMA compression enabled.

RemediationAI

Upgrade all Magick.NET NuGet packages to version 14.13.1 or later - this is the vendor-confirmed fix version per GHSA-jcqp-6r6f-3mfx. Update each affected package variant in use (e.g., Magick.NET-Q16-AnyCPU, Magick.NET-Q16-HDRI-x64, etc.) via NuGet package manager or dotnet CLI: 'dotnet add package Magick.NET-Q16-AnyCPU --version 14.13.1'. If an immediate upgrade is not feasible, the primary compensating control is to avoid writing MIFF images with LZMA compression - applications can switch to a different MIFF compression type (e.g., Zip or RLE) or a different output format entirely; note this may affect interoperability with downstream consumers expecting LZMA-compressed MIFF. Additionally, if Magick.NET processes user-supplied files, restrict the input path to trusted sources at the application boundary to prevent reaching the vulnerable MIFF encoder path. Advisory reference: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-jcqp-6r6f-3mfx.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise High Performance Computing 15 SP7 Affected
SUSE Linux Enterprise Module for Desktop Applications 15 SP7 Affected
SUSE Linux Enterprise Module for Development Tools 15 SP7 Affected
SUSE Linux Enterprise Module for Package Hub 15 SP7 Not-Affected

Share

CVE-2026-46521 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy