Skip to main content

Magick.NET CVE-2026-46559

MEDIUM
Off-by-one Error (CWE-193)
2026-05-18 https://github.com/ImageMagick/ImageMagick GHSA-533m-3wf6-c33v
4.0
CVSS 3.1 · Vendor: https://github.com/ImageMagick/ImageMagick
Share

Severity by source

Vendor (https://github.com/ImageMagick/ImageMagick) PRIMARY
4.0 MEDIUM
AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
SUSE
3.3 MEDIUM
AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
Red Hat
6.2 MEDIUM
qualitative

Primary rating from Vendor (https://github.com/ImageMagick/ImageMagick).

CVSS VectorVendor: https://github.com/ImageMagick/ImageMagick

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

2
Source Code Evidence Fetched
May 18, 2026 - 21:32 vuln.today
Analysis Generated
May 18, 2026 - 21:32 vuln.today

DescriptionCVE.org

An incorrect check in the JP2 will result in an heap buffer over-write of a single byte when specifying certain options.

AnalysisAI

Heap buffer over-write of a single byte in Magick.NET's JP2 encoder allows local attackers to cause availability impact (crash/denial of service) by supplying a crafted JP2 image processed with certain options. All Magick.NET NuGet package variants prior to version 14.13.1 are affected across multiple architectures (AnyCPU, x64, x86, arm64) and quantum depth configurations (Q16, Q16-HDRI). No public exploit has been identified at time of analysis, and a vendor-released patch exists at version 14.13.1.

Technical ContextAI

The vulnerability resides in the JP2 (JPEG 2000) encoder within the Magick.NET library family - the .NET wrapper around ImageMagick, distributed via NuGet. CWE-193 (Off-by-One Error) identifies the root cause: an incorrect boundary check in the JP2 processing path allows a write operation to overwrite exactly one byte beyond the allocated heap buffer. This class of flaw typically occurs when loop counters, length calculations, or comparison operators use incorrect boundary conditions (e.g., '<' vs '<=' or miscounted index offsets). The affected packages span multiple build configurations: Q16 and Q16-HDRI (standard and high-dynamic-range) variants, OpenMP-accelerated builds, and ARM64/x64/x86/AnyCPU architecture targets - suggesting the vulnerable code path exists in the shared ImageMagick core rather than platform-specific wrappers.

RemediationAI

Upgrade all Magick.NET NuGet packages to version 14.13.1 or later - this is the vendor-confirmed fix version per GHSA-533m-3wf6-c33v. Update the package reference in your project file (e.g., change <PackageReference Include="Magick.NET-Q16-AnyCPU" Version="..." /> to Version="14.13.1") and rebuild. If immediate upgrade is not feasible, a compensating control is to disable or sandbox JP2 (JPEG 2000) image processing: restrict accepted input formats at the application boundary to exclude JP2/JP2K files, or filter out JP2-specific encoder options before passing them to Magick.NET. This reduces attack surface at the cost of loss of JPEG 2000 support. For server-side image processing pipelines, consider running Magick.NET processing in an isolated worker process with constrained memory limits to bound the blast radius of any heap corruption to a process crash rather than broader system impact. See the advisory at https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-533m-3wf6-c33v for vendor details.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise High Performance Computing 15 SP7 Affected
SUSE Linux Enterprise Module for Desktop Applications 15 SP7 Affected
SUSE Linux Enterprise Module for Development Tools 15 SP7 Affected
SUSE Linux Enterprise Module for Package Hub 15 SP7 Not-Affected

Share

CVE-2026-46559 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy