CVE-2026-33899

CWE-122Heap-based Buffer OverflowCWE-191CWE-8057 documents5 sources
Severity
5.3MEDIUM
EPSS
No EPSS data
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Imagemagick Imagemagick
Timeline
PublishedApr 13

Description

ImageMagick is free and open-source software used for editing and manipulating digital images. In versions below 7.1.2-189 and 6.9.13-44, when `Magick` parses an XML file it is possible that a single zero byte is written out of the bounds. This issue has been fixed in versions 6.9.13-44 and 7.1.2-19.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:LExploitability: 3.9 | Impact: 1.4

Affected Packages18 packages

CVEListV5imagemagick/imagemagick< 6.9.13-44+1
NuGetMagick.NET-Q8-OpenMP-x64< 14.12.0
NuGetMagick.NET-Q16-OpenMP-x64< 14.12.0

🔴Vulnerability Details

2
GHSA
ImageMagick has a heap-Buffer-Overflow write of a single zero byte when parsing xml.2026-04-13
CVEList
ImageMagick: Heap BufferOverflow write of single zero byte when parsing XML2026-04-13

📋Vendor Advisories

1
Red Hat
ImageMagick: Magick.NET: ImageMagick: Denial of Service via out-of-bounds write in XML parsing2026-04-13

💬Community

3
Bugzilla
CVE-2026-33899 ImageMagick: Magick.NET: ImageMagick: Denial of Service via out-of-bounds write in XML parsing2026-04-13
Bugzilla
CVE-2026-33899 ImageMagick: ImageMagick: Denial of Service via out-of-bounds write in XML parsing [epel-all]2026-04-13
Bugzilla
CVE-2026-33899 ImageMagick: ImageMagick: Denial of Service via out-of-bounds write in XML parsing [fedora-all]2026-04-13
CVE-2026-33899 (MEDIUM CVSS 5.3) | ImageMagick is free and open-source | cvebase.io