CVE-2026-33901

CWE-122 — Heap-based Buffer Overflow CWE-787 — Out-of-bounds Write7 documents5 sources

Severity

7.5HIGH

EPSS

No EPSS data

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Imagemagick Imagemagick

Timeline

PublishedApr 13

Latest updateApr 14

Description

ImageMagick is free and open-source software used for editing and manipulating digital images. In versions below both 7.1.2-19 and 6.9.13-44, a heap buffer overflow occurs in the MVG decoder that could result in an out of bounds write when processing a crafted image. This issue has been fixed in versions 6.9.13-44 and 7.1.2-19.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages18 packages

▶CVEListV5imagemagick/imagemagick< 7.1.2-19+1

▶NuGetMagick.NET-Q8-OpenMP-x64< 14.12.0

▶NuGetMagick.NET-Q16-OpenMP-x64< 14.12.0

▶NuGetMagick.NET-Q8-OpenMP-arm64< 14.12.0

▶NuGetMagick.NET-Q16-OpenMP-arm64< 14.12.0

🔴Vulnerability Details

GHSA

ImageMagick has a heap Buffer Overflow in ImageMagick MVG decoder↗2026-04-14

▶

CVEList

ImageMagick has a Heap Buffer Overflow via MVG decoder↗2026-04-13

▶

📋Vendor Advisories

Red Hat

ImageMagick: Magick.NET: ImageMagick: Denial of Service due to heap buffer overflow in MVG decoder↗2026-04-13

▶

💬Community

Bugzilla

CVE-2026-33901 ImageMagick: ImageMagick: Denial of Service due to heap buffer overflow in MVG decoder [fedora-all]↗2026-04-13

▶

Bugzilla

CVE-2026-33901 ImageMagick: Magick.NET: ImageMagick: Denial of Service due to heap buffer overflow in MVG decoder↗2026-04-13

▶

Bugzilla

CVE-2026-33901 ImageMagick: ImageMagick: Denial of Service due to heap buffer overflow in MVG decoder [epel-all]↗2026-04-13

▶