Description
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to 7.1.2-18 and 6.9.13-43, an out-of-bounds write of a zero byte exists in the X11 `display` interaction path that could lead to a crash. Versions 7.1.2-18 and 6.9.13-43 patch the issue.
Published: 2026-03-26
Score: 4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Out-of-Bounds Write Leading to Crash
Action: Apply Patch
AI Analysis

Impact

A zero byte is written beyond the bounds of a memory buffer in the X11 display interaction of ImageMagick, resulting in a program crash. The flaw is identified as an out-of-bounds write (CWE-787) and does not directly provide remote code execution or data disclosure. When triggered, the target application may terminate unexpectedly and a denial‑of‑service condition can be induced on the affected system.

Affected Systems

ImageMagick versions older than 7.1.2-18 and 6.9.13-43 are affected. The software is distributed as open‑source image editing and manipulation tools; updates newer than the listed versions provide the fix.

Risk and Exploitability

The CVSS score of 4 indicates moderate severity, and the EPSS score of less than 1% suggests low likelihood of widespread exploitation. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Exploitation requires a process that interacts with the X11 display interface, so the attack vector is likely local or requires an attacker to deliver a malicious image via a service that hands it to ImageMagick while an X11 session is available. The outcome is limited to causing the application to crash or become unavailable rather than enabling further system compromise.

Generated by OpenCVE AI on April 2, 2026 at 22:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade ImageMagick to version 7.1.2-18 or later, or 6.9.13-43 or newer to apply the vendor patch.
  • If an upgrade is temporarily impossible, configure ImageMagick to avoid using the X11 display interface or disable services that employ it.
  • Monitor system logs for crashes or abnormal terminations that may indicate exploitation attempts.
  • Verify that the patched binaries are deployed by checking the version string in affected applications.
  • Ensure that any third‑party pipelines or automation that invoke ImageMagick are updated to use the secure, patched versions.

Generated by OpenCVE AI on April 2, 2026 at 22:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4539-1 imagemagick security update
Debian DSA Debian DSA DSA-6210-1 imagemagick security update
Debian DSA Debian DSA DSA-6240-1 imagemagick security update
Github GHSA Github GHSA GHSA-mw3m-pqr2-qv7c ImageMagick has an Out-of-Bounds write of a zero byte in its X11 display interaction
History

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:imagemagick:imagemagick:*:*:*:*:*:*:*:*

Fri, 27 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 27 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Low

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Imagemagick
Imagemagick imagemagick
Vendors & Products Imagemagick
Imagemagick imagemagick

Thu, 26 Mar 2026 20:00:00 +0000

Type Values Removed Values Added
Description ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to 7.1.2-18 and 6.9.13-43, an out-of-bounds write of a zero byte exists in the X11 `display` interaction path that could lead to a crash. Versions 7.1.2-18 and 6.9.13-43 patch the issue.
Title ImageMagick has an Out-of-Bounds write of a zero byte in its X11 display interaction
Weaknesses CWE-787
References
Metrics cvssV3_1

{'score': 4, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

Subscriptions

Imagemagick Imagemagick
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-27T20:02:06.512Z

Reserved: 2026-03-20T18:05:11.831Z

Link: CVE-2026-33535

cve-icon Vulnrichment

Updated: 2026-03-27T19:52:57.975Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-26T20:16:15.723

Modified: 2026-04-02T17:51:22.880

Link: CVE-2026-33535

cve-icon Redhat

Severity : Low

Publid Date: 2026-03-26T19:52:30Z

Links: CVE-2026-33535 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-03T09:38:50Z

Weaknesses