Memory Allocation with Excessive Size Value in SixLabors.ImageSharp
Description
ImageSharp is a 2D graphics API. A vulnerability discovered in the ImageSharp library, where the processing of specially crafted files can lead to excessive memory usage in image decoders. The vulnerability is triggered when ImageSharp attempts to process image files that are designed to exploit this flaw. This flaw can be exploited to cause a denial of service (DoS) by depleting process memory, thereby affecting applications and services that rely on ImageSharp for image processing tasks. Users and administrators are advised to update to the latest version of ImageSharp that addresses this vulnerability to mitigate the risk of exploitation. The problem has been patched in v3.1.4 and v2.1.8.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
ImageSharp denial-of-service vulnerability via specially crafted image files that exhaust memory, fixed in versions 3.1.4 and 2.1.8.
Overview
A denial-of-service vulnerability exists in the SixLabors.ImageSharp library. The bug is triggered when the library processes specially crafted image files, leading to excessive memory allocation that can exhaust available process memory. The root cause is the absence of sufficient bounds checking and memory limits on the internal memory allocator, allowing a malicious image to trigger unbounded allocations.
Exploitation
An attacker can exploit this vulnerability by providing a crafted image file to any application or service that uses ImageSharp for image decoding. No authentication is required; the attack can be over the network if the application processes user-uploaded images. The flaw is present in the memory allocation layer as shown in the commit that introduces memory group and single-buffer allocation limits [4]. Older versions do not enforce these limits.
Impact
Successful exploitation results in a denial of service. The affected application or service may become unresponsive or crash due to memory exhaustion. This can disrupt availability for legitimate users.
Mitigation
Users must update to ImageSharp version 3.1.4 or 2.1.8, which contain the fix [3][4]. The patch introduces configurable memory allocation limits (e.g., MemoryGroupAllocationLimitBytes and SingleBufferAllocationLimitBytes) that prevent unbounded allocations [4]. Administrators should also consider using DecoderOptions to limit decode size and frame count, and prefer Image.Identify() for preflight checks as recommended in the security documentation [2].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
SixLabors.ImageSharpNuGet | < 2.1.8 | 2.1.8 |
SixLabors.ImageSharpNuGet | >= 3.0.0, < 3.1.4 | 3.1.4 |
Affected products
2- SixLabors/ImageSharpv5Range: < 2.1.8
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- github.com/advisories/GHSA-g85r-6x2q-45w7ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-32035ghsaADVISORY
- docs.sixlabors.com/articles/imagesharp.web/processingcommands.htmlghsax_refsource_MISCWEB
- docs.sixlabors.com/articles/imagesharp/security.htmlghsax_refsource_MISCWEB
- github.com/SixLabors/ImageSharp/commit/b6b08ac3e7cea8da5ac1e90f7c0b67dd254535c3ghsax_refsource_MISCWEB
- github.com/SixLabors/ImageSharp/commit/f21d64188e59ae9464ff462056a5e29d8e618b27ghsax_refsource_MISCWEB
- github.com/SixLabors/ImageSharp/security/advisories/GHSA-g85r-6x2q-45w7ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.