Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
3.7
ImageMagick: Information Disclosure via AES Nonce Reuse
GHSA-qv2q-c278-pch5
Summary
ImageMagick, a popular image processing tool, is vulnerable to information disclosure when using its encryption features. This means that sensitive information could potentially be exposed. To mitigate this risk, users should update to the latest version of ImageMagick and review its documentation on encryption usage.
What to do
- Update magick.net-q16-anycpu to version 14.12.0.
- Update magick.net-q16-hdri-anycpu to version 14.12.0.
- Update magick.net-q16-hdri-openmp-arm64 to version 14.12.0.
- Update magick.net-q16-hdri-arm64 to version 14.12.0.
- Update magick.net-q16-hdri-x64 to version 14.12.0.
- Update magick.net-q16-hdri-x86 to version 14.12.0.
- Update magick.net-q16-openmp-arm64 to version 14.12.0.
- Update magick.net-q16-openmp-x64 to version 14.12.0.
- Update magick.net-q16-arm64 to version 14.12.0.
- Update magick.net-q16-x64 to version 14.12.0.
- Update magick.net-q16-x86 to version 14.12.0.
- Update magick.net-q8-anycpu to version 14.12.0.
- Update magick.net-q8-openmp-arm64 to version 14.12.0.
- Update magick.net-q8-openmp-x64 to version 14.12.0.
- Update magick.net-q8-arm64 to version 14.12.0.
- Update magick.net-q8-x64 to version 14.12.0.
- Update magick.net-q8-x86 to version 14.12.0.
Affected software
| Ecosystem | Vendor | Product | Affected versions |
|---|---|---|---|
| NuGet | – | magick.net-q16-anycpu |
< 14.12.0 Fix: upgrade to 14.12.0
|
| NuGet | – | magick.net-q16-hdri-anycpu |
< 14.12.0 Fix: upgrade to 14.12.0
|
| NuGet | – | magick.net-q16-hdri-openmp-arm64 |
< 14.12.0 Fix: upgrade to 14.12.0
|
| NuGet | – | magick.net-q16-hdri-arm64 |
< 14.12.0 Fix: upgrade to 14.12.0
|
| NuGet | – | magick.net-q16-hdri-x64 |
< 14.12.0 Fix: upgrade to 14.12.0
|
| NuGet | – | magick.net-q16-hdri-x86 |
< 14.12.0 Fix: upgrade to 14.12.0
|
| NuGet | – | magick.net-q16-openmp-arm64 |
< 14.12.0 Fix: upgrade to 14.12.0
|
| NuGet | – | magick.net-q16-openmp-x64 |
< 14.12.0 Fix: upgrade to 14.12.0
|
| NuGet | – | magick.net-q16-arm64 |
< 14.12.0 Fix: upgrade to 14.12.0
|
| NuGet | – | magick.net-q16-x64 |
< 14.12.0 Fix: upgrade to 14.12.0
|
| NuGet | – | magick.net-q16-x86 |
< 14.12.0 Fix: upgrade to 14.12.0
|
| NuGet | – | magick.net-q8-anycpu |
< 14.12.0 Fix: upgrade to 14.12.0
|
| NuGet | – | magick.net-q8-openmp-arm64 |
< 14.12.0 Fix: upgrade to 14.12.0
|
| NuGet | – | magick.net-q8-openmp-x64 |
< 14.12.0 Fix: upgrade to 14.12.0
|
| NuGet | – | magick.net-q8-arm64 |
< 14.12.0 Fix: upgrade to 14.12.0
|
| NuGet | – | magick.net-q8-x64 |
< 14.12.0 Fix: upgrade to 14.12.0
|
| NuGet | – | magick.net-q8-x86 |
< 14.12.0 Fix: upgrade to 14.12.0
|
Original title
ImageMagick: Information Disclosure in PasskeyEncipherImage via AES-CTR nonce reuse
Original description
The PasskeyEncipherImage method is vulnerable to information disclosure via AES-CTR nonce reuse. ImageMagick has update the documentation on its website to make it more clear that this is happening: https://imagemagick.org/cipher/
osv CVSS3.1
3.7
Vulnerability type
CWE-323
CWE-330
Use of Insufficiently Random Values
Published: 21 May 2026 · Updated: 21 May 2026 · First seen: 21 May 2026