ImageMagick Vulnerabilities Expose Invalid Image Dimensions

EXECUTIVE SUMMARY:

Multiple security vulnerabilities have been identified in Magick.NET packages prior to version 14.14.0. These issues include an out-of-bounds write, policy bypasses leading to out-of-memory conditions, and improper input validation within image decoders. Successful exploitation of these flaws could allow remote attackers to trigger application crashes or denial of service conditions by submitting maliciously crafted image files. The resulting instability poses a significant risk to service availability and business continuity for applications relying on this library.[emaillocker id="1283"]

• CVE-2026-53461 with a CVSS score of 7.5 – An incorrect loop in the ICON decoder leads to an out-of-bounds heap write, which can be exploited by a remote attacker to cause an application crash.
• CVE-2026-53460 with a CVSS score of 7.5 – A missing check for maximum memory requests in AcquireAlignedMemory can trigger an out-of-memory condition, allowing an attacker to induce a denial of service without user interaction.
• CVE-2026-49218 with a CVSS score of 7.5 – A missing check in the DCM decoder permits policy bypasses resulting in images with invalid dimensions, potentially causing crashes in subsequent operations.

These vulnerabilities present a high risk to enterprise environments due to the ease of exploitation over the network without user interaction. Exploitation could lead to severe service disruption and denial of service, impacting operational workflows and user trust. Immediate attention is required to ensure the continued stability and availability of affected systems.

RECOMMENDATION:

• We recommend you to update Magick.NET packages to version 14.14.0.

REFERENCES:

The following reports contain further technical details:
https://github.com/advisories/GHSA-g22q-f7gc-5jhr
https://github.com/advisories/GHSA-q62c-h75r-2xhc
https://github.com/advisories/GHSA-8pj9-6897-74xc