Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
3.3
ImageMagick: Out-of-bounds read in image processing can reveal sensitive information
GHSA-q8h3-jv9v-57qx
Summary
A bug in ImageMagick's image processing can allow an attacker to read sensitive information from memory. This can happen when the software tries to process certain types of images. Update ImageMagick to the latest version to fix this issue.
What to do
- Update magick.net-q16-anycpu to version 14.20.0.
- Update magick.net-q16-hdri-anycpu to version 14.20.0.
- Update magick.net-q16-hdri-openmp-arm64 to version 14.20.0.
- Update magick.net-q16-hdri-arm64 to version 14.20.0.
- Update magick.net-q16-hdri-x64 to version 14.20.0.
- Update magick.net-q16-hdri-x86 to version 14.20.0.
- Update magick.net-q16-openmp-arm64 to version 14.20.0.
- Update magick.net-q16-openmp-x64 to version 14.20.0.
- Update magick.net-q16-arm64 to version 14.20.0.
- Update magick.net-q16-x64 to version 14.20.0.
- Update magick.net-q16-x86 to version 14.20.0.
- Update magick.net-q16-hdri-openmp-x64 to version 14.20.0.
- Update magick.net-q8-anycpu to version 14.20.0.
- Update magick.net-q8-openmp-arm64 to version 14.20.0.
- Update magick.net-q8-openmp-x64 to version 14.20.0.
- Update magick.net-q8-arm64 to version 14.20.0.
- Update magick.net-q8-x64 to version 14.20.0.
- Update magick.net-q8-x86 to version 14.20.0.
Affected software
| Ecosystem | Vendor | Product | Affected versions |
|---|---|---|---|
| nuget | – | magick.net-q16-anycpu |
< 14.20.0 Fix: upgrade to 14.20.0
|
| nuget | – | magick.net-q16-hdri-anycpu |
< 14.20.0 Fix: upgrade to 14.20.0
|
| nuget | – | magick.net-q16-hdri-openmp-arm64 |
< 14.20.0 Fix: upgrade to 14.20.0
|
| nuget | – | magick.net-q16-hdri-arm64 |
< 14.20.0 Fix: upgrade to 14.20.0
|
| nuget | – | magick.net-q16-hdri-x64 |
< 14.20.0 Fix: upgrade to 14.20.0
|
| nuget | – | magick.net-q16-hdri-x86 |
< 14.20.0 Fix: upgrade to 14.20.0
|
| nuget | – | magick.net-q16-openmp-arm64 |
< 14.20.0 Fix: upgrade to 14.20.0
|
| nuget | – | magick.net-q16-openmp-x64 |
< 14.20.0 Fix: upgrade to 14.20.0
|
| nuget | – | magick.net-q16-arm64 |
< 14.20.0 Fix: upgrade to 14.20.0
|
| nuget | – | magick.net-q16-x64 |
< 14.20.0 Fix: upgrade to 14.20.0
|
| nuget | – | magick.net-q16-x86 |
< 14.20.0 Fix: upgrade to 14.20.0
|
| nuget | – | magick.net-q16-hdri-openmp-x64 |
< 14.20.0 Fix: upgrade to 14.20.0
|
| nuget | – | magick.net-q8-anycpu |
< 14.20.0 Fix: upgrade to 14.20.0
|
| nuget | – | magick.net-q8-openmp-arm64 |
< 14.20.0 Fix: upgrade to 14.20.0
|
| nuget | – | magick.net-q8-openmp-x64 |
< 14.20.0 Fix: upgrade to 14.20.0
|
| nuget | – | magick.net-q8-arm64 |
< 14.20.0 Fix: upgrade to 14.20.0
|
| nuget | – | magick.net-q8-x64 |
< 14.20.0 Fix: upgrade to 14.20.0
|
| nuget | – | magick.net-q8-x86 |
< 14.20.0 Fix: upgrade to 14.20.0
|
Original title
ImageMagick has has an off-by-one origin validation in allows out-of-bounds read in morphology processing
Original description
An incorrect morphology would allow an out of bounds read of a single pixel.
```
==1200284==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x5100000002d0 at pc 0x59e28e60c27a bp 0x7fff047fd8e0 sp 0x7fff047fd8d0
READ of size 4 at 0x5100000002d0 thread T0
```
```
==1200284==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x5100000002d0 at pc 0x59e28e60c27a bp 0x7fff047fd8e0 sp 0x7fff047fd8d0
READ of size 4 at 0x5100000002d0 thread T0
```
ghsa CVSS3.1
3.3
Vulnerability type
CWE-125
Out-of-bounds Read
CWE-193
Published: 14 Apr 2026 · Updated: 15 Apr 2026 · First seen: 15 Apr 2026