Skip to main content

Magick.NET CVE-2026-46523

MEDIUM
Use After Free (CWE-416)
2026-05-18 https://github.com/ImageMagick/ImageMagick GHSA-5r4x-w6p5-222q
6.2
CVSS 3.1 · Vendor: https://github.com/ImageMagick/ImageMagick
Share

Severity by source

Vendor (https://github.com/ImageMagick/ImageMagick) PRIMARY
6.2 MEDIUM
AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
SUSE
5.5 MEDIUM
AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Red Hat
7.5 HIGH
qualitative

Primary rating from Vendor (https://github.com/ImageMagick/ImageMagick).

CVSS VectorVendor: https://github.com/ImageMagick/ImageMagick

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

2
Source Code Evidence Fetched
May 18, 2026 - 21:33 vuln.today
Analysis Generated
May 18, 2026 - 21:33 vuln.today

DescriptionCVE.org

A crafted MSL image can trigger a heap-use-after-free.

AnalysisAI

Heap-use-after-free in Magick.NET's MSL (Magick Scripting Language) decoder causes a denial-of-service condition when processing a crafted MSL image file. All Magick.NET NuGet package variants across Q16, Q16-HDRI, and multi-architecture builds prior to version 14.13.1 are affected. No public exploit code and no confirmed active exploitation (CISA KEV) have been identified at time of analysis; the CVSS vector indicates local-only access with availability-only impact, classifying this as a crasher rather than a code execution or data exposure issue.

Technical ContextAI

Magick.NET is the .NET wrapper for ImageMagick, distributed as a family of NuGet packages targeting different quantization depths (Q16, Q16-HDRI), CPU architectures (x86, x64, arm64), and optional OpenMP parallelism. The MSL (Magick Scripting Language) decoder parses a custom XML-like scripting format embedded in image files. CWE-416 (Use After Free) identifies the root cause: heap memory is freed during MSL parsing but subsequently dereferenced, corrupting heap state. The heap-use-after-free manifests as an application crash (availability impact only per CVSS C:N/I:N/A:H), though the advisory tags also flag 'Information Disclosure' and 'Memory Corruption' - signals that under-the-right-conditions heap layout leakage or memory corruption beyond a simple crash may be theoretically possible, a discrepancy with the CVSS confidentiality rating of None that warrants vendor clarification.

RemediationAI

The primary fix is upgrading all Magick.NET NuGet packages to version 14.13.1 or later; this is a vendor-released patch confirmed by GHSA-5r4x-w6p5-222q (https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-5r4x-w6p5-222q). If an immediate upgrade is not feasible, the most actionable compensating control is to disable or filter MSL format processing: configure Magick.NET image processing pipelines to reject files with MSL extensions or MSL-format magic bytes before they reach the decoder, which eliminates the attack surface entirely at the cost of losing MSL scripting support. Additionally, in applications that process user-supplied images, enforce strict file type allowlisting at the upload boundary so that only expected raster formats (JPEG, PNG, WebP, etc.) are passed to the library. These controls trade MSL functionality for safety and should be treated as temporary mitigations pending patch deployment.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise High Performance Computing 15 SP7 Affected
SUSE Linux Enterprise Module for Desktop Applications 15 SP7 Affected
SUSE Linux Enterprise Module for Development Tools 15 SP7 Affected
SUSE Linux Enterprise Module for Package Hub 15 SP7 Not-Affected

Share

CVE-2026-46523 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy