ImageMagick Vulnerability Exposes Uncontrolled Resource Consumption

EXECUTIVE SUMMARY:

Multiple security vulnerabilities have been identified in various versions of Magick.NET-Q16 and Magick.NET-Q8 packages, which are used for image processing. The vulnerabilities include uncontrolled resource consumption and out-of-bounds write, both of which can lead to CPU exhaustion and potential data corruption. These vulnerabilities pose a significant risk to organizations that rely on these packages for image processing, as they can be exploited by an attacker to cause a denial-of-service or potentially gain unauthorized access to sensitive data. The impact of these vulnerabilities can be severe, resulting in downtime and potential financial losses.[emaillocker id="1283"]

• CVE-2026-46522 with a CVSS score of 7.5 – An infinite loop can occur in the MIFF decoder when processing a crafted file, resulting in CPU exhaustion. An attacker can exploit this vulnerability by crafting a malicious file that triggers the infinite loop.
• CVE-2026-46520 with a CVSS score of 7.5 – An out-of-bounds heap write can occur in the IPL decoder when reading multiple images with different dimensions. An attacker can exploit this vulnerability by creating a malicious image file that triggers the out-of-bounds write.

The identified vulnerabilities pose a significant risk to organizations that rely on Magick.NET-Q16 and Magick.NET-Q8 packages for image processing. If exploited, these vulnerabilities can cause a denial-of-service or potentially gain unauthorized access to sensitive data, resulting in downtime and potential financial losses.

RECOMMENDATION:

• We recommend you to update nuget/Magick.NET-Q16 14.13.1.

REFERENCES:

The following reports contain further technical details:
https://github.com/advisories/GHSA-7gg8-qqx7-92g5
https://github.com/advisories/GHSA-36wm-hprc-mcf5