Skip to main content

Magick.NET CVE-2026-47166

MEDIUM
Out-of-bounds Read (CWE-125)
2026-05-22 https://github.com/ImageMagick/ImageMagick GHSA-6gxq-f64p-5w6f
5.7
CVSS 3.1 · Vendor: https://github.com/ImageMagick/ImageMagick
Share

Severity by source

Vendor (https://github.com/ImageMagick/ImageMagick) PRIMARY
5.7 MEDIUM
AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
6.0 MEDIUM
qualitative

Primary rating from Vendor (https://github.com/ImageMagick/ImageMagick).

CVSS VectorVendor: https://github.com/ImageMagick/ImageMagick

CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:H
Attack Vector
Local
Attack Complexity
High
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
High

Lifecycle Timeline

2
Source Code Evidence Fetched
May 23, 2026 - 00:32 vuln.today
Analysis Generated
May 23, 2026 - 00:32 vuln.today

DescriptionCVE.org

An attacker who can connect to a magick -distribute-cache service can cause a heap buffer over-read in the server process.

AnalysisAI

Heap buffer over-read in ImageMagick's distributed pixel cache server affects all Magick.NET NuGet package variants prior to version 14.12.0. An attacker with the ability to connect to a running magick -distribute-cache service can trigger an out-of-bounds read (CWE-125) in the server process, resulting in high-severity confidentiality impact (memory disclosure) and availability impact (potential crash). No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis, and the CVSS score of 5.7 reflects meaningful mitigating constraints: high attack complexity and high privileges required per the vector.

Technical ContextAI

ImageMagick's distributed pixel cache (-distribute-cache) is a network-accessible service that offloads pixel data storage to a remote or local server process, enabling distributed image processing workloads. The affected components are the Magick.NET NuGet wrappers (Q16 depth variants: AnyCPU, x64, x86, arm64, HDRI, OpenMP, and combinations thereof) which embed the underlying ImageMagick native libraries. CWE-125 (Out-of-bounds Read) indicates that a crafted request to the cache service causes the server to read beyond allocated heap memory, potentially exposing heap contents or causing a process crash. The CPE identifiers (e.g., pkg:nuget/magick.net-q16-anycpu, pkg:nuget/magick.net-q16-hdri-x64) confirm the vulnerability spans both standard and HDRI (High Dynamic Range Image) build configurations across multiple CPU architectures.

RemediationAI

The vendor-released patch is Magick.NET version 14.12.0, which resolves the heap over-read in all affected Q16 package variants. Operators should upgrade all Magick.NET NuGet dependencies to >= 14.12.0 via the NuGet package manager. Advisory details are at https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-6gxq-f64p-5w6f. As an immediate compensating control for environments that cannot patch, disable or avoid starting the magick -distribute-cache service entirely - the vulnerability is only exploitable when this service is running and accessible. If the distributed cache feature is required, restrict network or local socket access to the service using host-based firewall rules or OS-level access controls (e.g., bind only to loopback, restrict with iptables/nftables), limiting connection attempts to known trusted processes only. Note that disabling the distribute-cache service will remove distributed processing capability and may degrade performance in high-throughput imaging pipelines.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise High Performance Computing 15 SP7 Affected
SUSE Linux Enterprise Module for Desktop Applications 15 SP7 Affected
SUSE Linux Enterprise Module for Development Tools 15 SP7 Affected
SUSE Linux Enterprise Module for Package Hub 15 SP7 Not-Affected

Share

CVE-2026-47166 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy