Skip to main content

Magick.NET CVE-2026-46692

MEDIUM
Heap-based Buffer Overflow (CWE-122)
2026-05-22 https://github.com/ImageMagick/ImageMagick GHSA-p93h-f2jc-477j
4.1
CVSS 3.1 · Vendor: https://github.com/ImageMagick/ImageMagick
Share

Severity by source

Vendor (https://github.com/ImageMagick/ImageMagick) PRIMARY
4.1 MEDIUM
AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
5.9 MEDIUM
qualitative

Primary rating from Vendor (https://github.com/ImageMagick/ImageMagick).

CVSS VectorVendor: https://github.com/ImageMagick/ImageMagick

CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
High
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

2
Source Code Evidence Fetched
May 23, 2026 - 00:31 vuln.today
Analysis Generated
May 23, 2026 - 00:31 vuln.today

DescriptionCVE.org

An attacker who can connect to a magick -distribute-cache service can cause a heap buffer over-write in the server process.

AnalysisAI

Heap buffer over-write in ImageMagick's distributed pixel cache server (magick -distribute-cache) allows an attacker who can connect to the service to corrupt the server process's heap memory, resulting in a high-severity denial-of-service condition. All Magick.NET NuGet package variants (Q16, HDRI, OpenMP, across arm64/x64/x86/AnyCPU architectures) prior to version 14.12.0 are confirmed affected. No public exploit has been identified at time of analysis and the vulnerability does not appear in CISA KEV; however, a notable discrepancy exists between the CVSS attack vector (AV:L, local) and the description's implication of service-level connectivity, which warrants independent verification before fully trusting the low CVSS score.

Technical ContextAI

The vulnerability resides in ImageMagick's distributed pixel cache subsystem, which allows offloading large image pixel buffers to a remote or local cache server process launched via magick -distribute-cache. CWE-122 (Heap-based Buffer Overflow) indicates that the root cause is a write operation that exceeds the bounds of a heap-allocated buffer - likely during request parsing or pixel cache data handling within the server process. The affected packages are the official .NET bindings for ImageMagick distributed via NuGet under the Magick.NET umbrella, spanning multiple build configurations: standard Q16 (16-bit quantum depth), HDRI (High Dynamic Range Imaging), and OpenMP-accelerated variants, across x86, x64, arm64, and AnyCPU targets. Because the distribute-cache server is a standalone process that accepts incoming connections, any client-supplied data that reaches the vulnerable buffer handling code is attacker-controlled.

RemediationAI

Vendor-released patch: 14.12.0. Upgrade all Magick.NET NuGet packages to version 14.12.0 or later immediately; this fix is confirmed across all Q16, HDRI, OpenMP, and architecture variants per the GitHub Security Advisory at https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-p93h-f2jc-477j. If immediate upgrade is not feasible, the primary compensating control is to ensure the magick -distribute-cache server is not running or is not exposed: do not launch the distribute-cache daemon in production environments unless explicitly required, and if required, restrict access to the service port via host-based firewall rules to trusted IP addresses only. The trade-off of disabling distribute-cache is loss of distributed pixel cache offload capability, which may impact performance for very large image processing workloads. There is no known workaround that preserves distribute-cache functionality while neutralizing the vulnerability.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise High Performance Computing 15 SP7 Affected
SUSE Linux Enterprise Module for Desktop Applications 15 SP7 Affected
SUSE Linux Enterprise Module for Development Tools 15 SP7 Affected
SUSE Linux Enterprise Module for Package Hub 15 SP7 Not-Affected

Share

CVE-2026-46692 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy