SixLabors.ImageSharp vulnerable to data leakage
Description
ImageSharp is a 2D graphics API. A data leakage flaw was found in ImageSharp's JPEG and TGA decoders. This vulnerability is triggered when an attacker passes a specially crafted JPEG or TGA image file to a software using ImageSharp, potentially disclosing sensitive information from other parts of the software in the resulting image buffer. The problem has been patched in v3.1.4 and v2.1.8.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
ImageSharp JPEG and TGA decoders fail to clear buffers before reuse, allowing crafted images to leak sensitive data from memory; patched in v3.1.4 and v2.1.8.
Vulnerability
Overview
A data leakage vulnerability exists in ImageSharp's JPEG and TGA decoders due to buffers not being cleared before reuse [1][3]. When decoding a specially crafted image file, the decoder may reuse memory buffers that contain residual data from previous operations, potentially exposing sensitive information from other parts of the software [1][3].
Exploitation
An attacker can trigger this vulnerability by providing a malicious JPEG or TGA image file to any application that uses the affected versions of ImageSharp [1][3]. No special privileges are required; the attacker only needs to supply the crafted image through normal input channels (e.g., file upload, network download) [1][3].
Impact
Successful exploitation could lead to the disclosure of sensitive data that resides in memory, such as cryptographic keys, user credentials, or other confidential information processed by the application [1][3]. The leaked data becomes part of the decoded image buffer, which may then be saved, displayed, or transmitted, compromising confidentiality [1][3].
Mitigation
The issue has been patched in ImageSharp versions 3.1.4 and 2.1.8 [1][3][4]. Users are strongly advised to upgrade to these versions immediately. No workarounds are available [3]. The fix ensures that buffers are properly cleared before reuse, preventing data leakage [4].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
SixLabors.ImageSharpNuGet | < 2.1.8 | 2.1.8 |
SixLabors.ImageSharpNuGet | >= 3.0.0, < 3.1.4 | 3.1.4 |
Affected products
2- SixLabors/ImageSharpv5Range: < 2.1.8
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-5x7m-6737-26crghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-32036ghsaADVISORY
- github.com/SixLabors/ImageSharp/commit/8f0b4d3e680e78d479a88e7b1472bccd8f096d68ghsax_refsource_MISCWEB
- github.com/SixLabors/ImageSharp/commit/da5f09a42513489fe359578d81cec2f15ba588baghsax_refsource_MISCWEB
- github.com/SixLabors/ImageSharp/security/advisories/GHSA-5x7m-6737-26crghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.