GHSA-42p5-62qq-mmh7

MEDIUM5.3

ImageMagick has a heap buffer over-read in its MAP image decoder

Published Feb 24, 2026

Modified 1 weeks ago

Fix available

Details

A heap buffer over-read vulnerability exists in the MAP image decoder when processing crafted MAP files, potentially leading to crashes or unintended memory disclosure during image decoding.

=================================================================
==4070926==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x502000002b31 at pc 0x56517afbd910 bp 0x7ffc59e90000 sp 0x7ffc59e8fff0
READ of size 1 at 0x502000002b31 thread T0

Affected Packages(19 packages)

Magick.NET-Q16-AnyCPU

NuGet

Fixed in:

14.10.3

Magick.NET-Q16-HDRI-AnyCPU

NuGet

Fixed in:

14.10.3

Magick.NET-Q16-HDRI-OpenMP-arm64

NuGet

Fixed in:

14.10.3

Magick.NET-Q16-HDRI-OpenMP-x64

NuGet

Fixed in:

14.10.3

Magick.NET-Q16-HDRI-arm64

NuGet

Fixed in:

14.10.3

Magick.NET-Q16-HDRI-x64

NuGet

Fixed in:

14.10.3

Magick.NET-Q16-HDRI-x86

NuGet

Fixed in:

14.10.3

Magick.NET-Q16-OpenMP-arm64

NuGet

Fixed in:

14.10.3

Magick.NET-Q16-OpenMP-x64

NuGet

Fixed in:

14.10.3

Magick.NET-Q16-OpenMP-x86

NuGet

Fixed in:

14.10.3

References

https://github.com/ImageMagick/ImageMagick

https://github.com/ImageMagick/ImageMagick/commit/bbae0215e1b76830509fd20e6d37c0dd7e3e4c3a

https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-42p5-62qq-mmh7

https://github.com/advisories/GHSA-42p5-62qq-mmh7

https://github.com/dlemstra/Magick.NET/releases/tag/14.10.3

https://nvd.nist.gov/vuln/detail/CVE-2026-25987

Aliases

CVSS Analysis

CVSS v3.1

5.3

Exploitability

Attack Vector

NetworkAV:N

Attack Complexity

LowAC:L

Privileges Required

NonePR:N

User Interaction

NoneUI:N

Scope

Scope

UnchangedS:U

Impact

Confidentiality

LowC:L

Integrity

NoneI:N

Availability

NoneA:N

5.3/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Related

Ecosystems

Timeline

PublishedFeb 24, 2026

ModifiedFeb 24, 2026

GHSA-42p5-62qq-mmh7 | Mondoo Vulnerability Intelligence