Skip to main content

Magick.NET CVE-2026-47165

MEDIUM
Information Exposure (CWE-200)
2026-05-22 https://github.com/ImageMagick/ImageMagick GHSA-2rgj-gx5x-f62w
4.1
CVSS 3.1 · Vendor: https://github.com/ImageMagick/ImageMagick
Share

Severity by source

Vendor (https://github.com/ImageMagick/ImageMagick) PRIMARY
4.1 MEDIUM
AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N
SUSE
MEDIUM
qualitative
Red Hat
4.0 LOW
qualitative

Primary rating from Vendor (https://github.com/ImageMagick/ImageMagick).

CVSS VectorVendor: https://github.com/ImageMagick/ImageMagick

CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Local
Attack Complexity
High
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Source Code Evidence Fetched
May 23, 2026 - 00:30 vuln.today
Analysis Generated
May 23, 2026 - 00:30 vuln.today

DescriptionCVE.org

The distributed pixel cache was originally designed to operate without a challenge-response authentication model. However, given today’s heightened security expectations, we have changed our implementation.

AnalysisAI

Information disclosure in Magick.NET's distributed pixel cache server exposes sensitive pixel data due to the absence of a challenge-response authentication model on the cache service. All Magick.NET NuGet packages (Q16, Q16-HDRI, and OpenMP variants across AnyCPU, x64, x86, arm64 architectures) prior to version 14.12.0 are affected. A highly privileged local attacker meeting the high-complexity conditions of this vulnerability could read pixel cache contents belonging to other processes, leaking potentially sensitive image data. No public exploit code and no CISA KEV listing have been identified at time of analysis.

Technical ContextAI

ImageMagick's distributed pixel cache is a network-capable feature that offloads pixel data storage to a dedicated cache server, enabling distributed image processing workflows. The Magick.NET packages (pkg:nuget/magick.net-q16-* family) are the official .NET/C

bindings for ImageMagick, distributed via NuGet for multiple architectures and build configurations (Q16 integer depth, Q16-HDRI floating-point, OpenMP-accelerated, and standard variants). The root cause is CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor): the pixel cache server accepted connections and served pixel data without requiring a client to prove its identity through a challenge-response exchange. This design-level omission means any process or user that can reach the cache endpoint - under the local, high-privilege constraints of the CVSS vector - can read raw pixel buffers that may contain sensitive image content in transit or at rest within the cache.

RemediationAI

Vendor-released patch: Magick.NET 14.12.0 (all package variants). Upgrade all affected Magick.NET NuGet packages to version 14.12.0 or later, which introduces a challenge-response authentication model for the distributed pixel cache server. Reference the GitHub Security Advisory at https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-2rgj-gx5x-f62w for upgrade guidance. As a compensating control for environments that cannot immediately upgrade, disable the distributed pixel cache feature entirely by not configuring a remote pixel cache server - this eliminates the attack surface with the trade-off that distributed image processing will fall back to local disk or memory cache, potentially impacting throughput in high-volume pipelines. Additionally, network-level access controls (host-based firewall rules restricting connections to the pixel cache port) can reduce exposure, though they do not address the authentication weakness and should not substitute for patching.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise High Performance Computing 15 SP7 Affected
SUSE Linux Enterprise Module for Desktop Applications 15 SP7 Affected
SUSE Linux Enterprise Module for Development Tools 15 SP7 Affected
SUSE Linux Enterprise Module for Package Hub 15 SP7 Not-Affected

Share

CVE-2026-47165 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy