CVE-2026-33908

CWE-674 — Uncontrolled Recursion CWE-776 — XML Entity Expansion (Billion Laughs)7 documents5 sources

Severity

7.5HIGH

EPSS

No EPSS data

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Imagemagick Imagemagick

Timeline

PublishedApr 13

Latest updateApr 14

Description

ImageMagick is free and open-source software used for editing and manipulating digital images. In versions below both 7.1.2-19 and 6.9.13-44, Magick frees the memory of the XML tree via the `DestroyXMLTree()` function; however, this process is executed recursively with no depth limit imposed. When Magick processes an XML file with deeply nested structures, it will exhaust the stack memory, resulting in a Denial of Service (DoS) attack. This issue has been fixed in versions 6.9.13-44 and 7.1.2-19…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages18 packages

▶CVEListV5imagemagick/imagemagick< 6.9.13-44+1

▶NuGetMagick.NET-Q8-OpenMP-x64< 14.12.0

▶NuGetMagick.NET-Q16-OpenMP-x64< 14.12.0

▶NuGetMagick.NET-Q8-OpenMP-arm64< 14.12.0

▶NuGetMagick.NET-Q16-OpenMP-arm64< 14.12.0

🔴Vulnerability Details

GHSA

ImageMagick has a Stack Overflow in DestroyXMLTree()↗2026-04-14

▶

CVEList

ImageMagick is vulnerable to Stack Overflow in DestroyXMLTree()↗2026-04-13

▶

📋Vendor Advisories

Red Hat

ImageMagick: Magick.NET: ImageMagick: Denial of Service via deeply nested XML file processing↗2026-04-13

▶

💬Community

Bugzilla

CVE-2026-33908 ImageMagick: ImageMagick: Denial of Service via deeply nested XML file processing [fedora-all]↗2026-04-13

▶

Bugzilla

CVE-2026-33908 ImageMagick: ImageMagick: Denial of Service via deeply nested XML file processing [epel-all]↗2026-04-13

▶

Bugzilla

CVE-2026-33908 ImageMagick: Magick.NET: ImageMagick: Denial of Service via deeply nested XML file processing↗2026-04-13

▶