Skip to main content

Magick.NET CVE-2026-46557

MEDIUM
Uncontrolled Recursion (CWE-674)
2026-05-18 https://github.com/ImageMagick/ImageMagick GHSA-rcr6-g7jc-f57g
6.2
CVSS 3.1 · Vendor: https://github.com/ImageMagick/ImageMagick
Share

Severity by source

Vendor (https://github.com/ImageMagick/ImageMagick) PRIMARY
6.2 MEDIUM
AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
5.5 LOW
qualitative

Primary rating from Vendor (https://github.com/ImageMagick/ImageMagick).

CVSS VectorVendor: https://github.com/ImageMagick/ImageMagick

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

2
Source Code Evidence Fetched
May 18, 2026 - 21:33 vuln.today
Analysis Generated
May 18, 2026 - 21:33 vuln.today

DescriptionCVE.org

Due to a missing depth check a stack overflow can occur in the fx operation by passing a crafted argument.

AnalysisAI

Stack overflow in the Magick.NET fx expression evaluator affects all Q16 and HDRI NuGet package variants prior to version 14.13.1. The root cause is a missing recursion depth check in the fx operation: a crafted argument can drive the evaluator into uncontrolled recursion, exhausting the call stack and crashing the host process. Impact is limited to availability (denial of service); no confidentiality or integrity exposure is present, and no public exploit or CISA KEV listing exists at time of analysis.

Technical ContextAI

The fx operation is ImageMagick's built-in mathematical expression and formula evaluator, used to apply pixel-level transformations. CWE-674 (Uncontrolled Recursion) identifies the root cause: the evaluator lacks a depth counter or guard to cap recursive expression parsing, so a pathologically nested crafted argument can drive call-stack depth to OS limits and trigger a stack overflow. The affected packages are the official .NET bindings for ImageMagick distributed via NuGet - specifically all Q16 (16-bit quantum depth) and HDRI (high dynamic range) variants across x86, x64, arm64, AnyCPU, and OpenMP-enabled builds. The vulnerability exists in the underlying ImageMagick C library, surfaced through all of these .NET wrapper packages.

RemediationAI

Upgrade all affected Magick.NET NuGet packages to version 14.13.1 or later; this is the vendor-released patch confirmed by GitHub Security Advisory GHSA-rcr6-g7jc-f57g. Update via NuGet package manager using 'dotnet add package Magick.NET-Q16-AnyCPU --version 14.13.1' (substitute the specific variant in use). For applications that cannot be patched immediately, the primary compensating control is to restrict or sanitize fx expression input before it reaches the Magick.NET API - specifically, reject or strip deeply nested recursive expressions through application-layer input validation. Additionally, sandboxing the image-processing process (e.g., running it in a separate low-privilege container or process with resource limits such as ulimit -s on Linux) can contain the impact of a crash to availability without affecting the wider application. Neither workaround eliminates the underlying flaw, and patching to 14.13.1 remains the definitive remediation.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise High Performance Computing 15 SP7 Affected
SUSE Linux Enterprise Module for Desktop Applications 15 SP7 Not-Affected
SUSE Linux Enterprise Module for Development Tools 15 SP7 Affected
SUSE Linux Enterprise Module for Package Hub 15 SP7 Not-Affected

Share

CVE-2026-46557 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy