Your RSA-2048 keys break in 2030. Find every one of them before attackers do.
.NET NuGet

GHSA-3j4x-rwrx-xxj9

LOW

mageMagick has a possible use-after-free write in its PDB decoder

Published
Feb 25, 2026
Updated
Feb 25, 2026
Affected
19 pkgs
Patched
19 / 19
Exploits
None indexed

Blast Radius

19 pkgs affected
.NETMagick.NET-Q16-AnyCPU.NETMagick.NET-Q16-HDRI-AnyCPU.NETMagick.NET-Q16-HDRI-OpenMP-arm64.NETMagick.NET-Q16-HDRI-OpenMP-x64.NETMagick.NET-Q16-HDRI-arm64.NETMagick.NET-Q16-HDRI-x64.NETMagick.NET-Q16-HDRI-x86.NETMagick.NET-Q16-OpenMP-arm64+11 more

Real-time download stats are indexed for npm and PyPI packages. This vulnerability affects NuGet packages — download data is not available via public APIs for these ecosystems.

Description

A use-after-free vulnerability exists in the PDB decoder that will use a stale pointer when a memory allocation fails and that could result in a crash or a single zero byte write.

==4033155==ERROR: AddressSanitizer: UNKNOWN SIGNAL on unknown address 0x000000000000 (pc 0x5589c1971b24 bp 0x7ffdcc7ae2d0 sp 0x7ffdcc7adb20 T0)

==4034812==ERROR: AddressSanitizer: heap-use-after-free on address 0x7f099e9f7800 at pc 0x5605d909ab20 bp 0x7ffe52045b50 sp 0x7ffe52045b40
WRITE of size 1 at 0x7f099e9f7800 thread T0

Affected Packages

19 total 19 fixed
EcosystemPackageVulnerable rangeFix
.NETNuGetMagick.NET-Q16-AnyCPUall versions14.10.3
.NETNuGetMagick.NET-Q16-HDRI-AnyCPUall versions14.10.3
.NETNuGetMagick.NET-Q16-HDRI-OpenMP-arm64all versions14.10.3
.NETNuGetMagick.NET-Q16-HDRI-OpenMP-x64all versions14.10.3
.NETNuGetMagick.NET-Q16-HDRI-arm64all versions14.10.3
.NETNuGetMagick.NET-Q16-HDRI-x64all versions14.10.3

Detection & mitigation playbook

Open-source dependency

  1. Detect

    Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for Magick.NET-Q16-AnyCPU. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.

  2. Fix

    Update Magick.NET-Q16-AnyCPU to 14.10.3 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-3j4x-rwrx-xxj9 is resolved across your whole dependency graph.

  3. Workarounds

    If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.

  4. How O3 protects you

    O3 pinpoints whether GHSA-3j4x-rwrx-xxj9 is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.

Tailored to GHSA-3j4x-rwrx-xxj9. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.

Frequently Asked Questions

A use-after-free vulnerability exists in the PDB decoder that will use a stale pointer when a memory allocation fails and that could result in a crash or a single zero byte write. ``` ==4033155==ERROR: AddressSanitizer: UNKNOWN SIGNAL on unknown address 0x000000000000 (pc 0x5589c1971b24 bp 0x7ffdcc7ae2d0 sp 0x7ffdcc7adb20 T0) ``` ``` ==4034812==ERROR: AddressSanitizer: heap-use-after-free on address 0x7f099e9f7800 at pc 0x5605d909ab20 bp 0x7ffe52045b50 sp 0x7ffe52045b40 WRITE of size 1 at 0x7f099e9f7800 thread T0 ```
O3 Security · Impact-Aware SCA

Is GHSA-3j4x-rwrx-xxj9 in your dependencies?

O3 detects GHSA-3j4x-rwrx-xxj9 across NuGet dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.

Scan my dependencies How O3 SCA works