Skip to main content

Magick.NET CVE-2026-46693

MEDIUM
Race Condition (CWE-362)
2026-05-22 https://github.com/ImageMagick/ImageMagick GHSA-4g75-9r48-jf92
4.1
CVSS 3.1 · Vendor: https://github.com/ImageMagick/ImageMagick
Share

Severity by source

Vendor (https://github.com/ImageMagick/ImageMagick) PRIMARY
4.1 MEDIUM
AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N
SUSE
MEDIUM
qualitative
Red Hat
4.4 LOW
qualitative

Primary rating from Vendor (https://github.com/ImageMagick/ImageMagick).

CVSS VectorVendor: https://github.com/ImageMagick/ImageMagick

CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Local
Attack Complexity
High
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Source Code Evidence Fetched
May 23, 2026 - 00:32 vuln.today
Analysis Generated
May 23, 2026 - 00:32 vuln.today

DescriptionCVE.org

An attacker who can connect to a magick -distribute-cache service can hijack a file descriptor in the server process when a race condition is met.

AnalysisAI

File descriptor hijacking in ImageMagick's distributed pixel cache server (magick -distribute-cache) exposes sensitive data via a race condition exploitable by a privileged local attacker. Affected are all Magick.NET NuGet packages across Q16, Q16-HDRI, OpenMP, and ARM64 variants prior to version 14.12.0. Successful exploitation yields high-confidentiality impact - an attacker can read file descriptors belonging to the server process - though no public exploit code exists and this is not currently listed in the CISA KEV catalog.

Technical ContextAI

ImageMagick's distributed pixel cache subsystem (invoked via magick -distribute-cache) offloads pixel cache I/O to a separate server process, enabling distributed image processing across nodes. The vulnerability stems from CWE-362 (Concurrent Execution Using Shared Resource with Improper Synchronization), a classic race condition in which the server process does not atomically validate and assign file descriptors during connection handling. An attacker who establishes a connection to this service during a vulnerable timing window can manipulate the file descriptor table of the server process before synchronization completes. The affected packages are the .NET bindings (Magick.NET) that bundle the ImageMagick native libraries; all Q16 depth variants (standard, HDRI, OpenMP) and all CPU architectures (AnyCPU, x64, x86, arm64) are affected. CPE data confirms the scope spans: pkg:nuget/magick.net-q16-anycpu, pkg:nuget/magick.net-q16-hdri-anycpu, pkg:nuget/magick.net-q16-hdri-openmp-arm64, pkg:nuget/magick.net-q16-hdri-arm64, pkg:nuget/magick.net-q16-hdri-x64, pkg:nuget/magick.net-q16-hdri-x86, pkg:nuget/magick.net-q16-openmp-arm64, pkg:nuget/magick.net-q16-openmp-x64, pkg:nuget/magick.net-q16-arm64, and pkg:nuget/magick.net-q16-x64.

RemediationAI

Upgrade all Magick.NET NuGet package variants to version 14.12.0 or later; this is the vendor-released patch confirmed by the GHSA advisory at https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-4g75-9r48-jf92. If immediate upgrade is not feasible, the most effective compensating control is to disable or not expose the magick -distribute-cache service entirely - this feature is non-default and unnecessary for single-node image processing workloads; disabling it fully eliminates the attack surface with no functional impact for typical use cases. If the distributed cache is operationally required, restrict access to the service endpoint using host-based firewall rules or OS-level access controls to limit which accounts or processes can connect, thereby addressing the privilege and access vector preconditions. Note that network-level blocking alone is insufficient if the AV:L classification is accurate and the service is a local IPC endpoint - in that case, OS user/group permissions on the socket or pipe are the correct enforcement boundary.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise High Performance Computing 15 SP7 Affected
SUSE Linux Enterprise Module for Desktop Applications 15 SP7 Affected
SUSE Linux Enterprise Module for Development Tools 15 SP7 Affected
SUSE Linux Enterprise Module for Package Hub 15 SP7 Not-Affected

Share

CVE-2026-46693 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy