Description
ImageMagick is free and open-source software used for editing and manipulating digital images. In versions below 7.1.2-189 and 6.9.13-44, when `Magick` parses an XML file it is possible that a single zero byte is written out of the bounds. This issue has been fixed in versions 6.9.13-44 and 7.1.2-19.
Published: 2026-04-13
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Out-of-bounds write; memory corruption
Action: Apply patch
AI Analysis

Impact

Parsing of an XML file in ImageMagick may trigger a heap buffer overflow that writes a single zero byte past the end of an allocated buffer. This overrun can corrupt memory, potentially leading to unstable system behavior or higher‑level exploitation such as local code execution. The flaw is classified under the CWE identifiers for heap buffer overflow (CWE‑122), signed integer overflow (CWE‑191), and out‑of‑bounds write (CWE‑805). The CVSS score for this vulnerability is 5.3, indicating a medium severity.

Affected Systems

The affected product is ImageMagick. Versions earlier than 7.1.2-189 and 6.9.13-44 are vulnerable. ImageMagick developers have issued a fix that was released in version 7.1.2‑19 and in 6.9.13‑44, effectively removing the error from later builds.

Risk and Exploitability

With a CVSS score of 5.3 and no publicly documented exploits, the likelihood of remote exploitation appears low; however, the vulnerability still permits local or internal attackers to corrupt memory by feeding crafted XML files to a running instance of Magick, potentially elevating privileges or causing denial of service. The lack of EPSS data and its absence from CISA's KEV catalog suggest limited exploitation activity, yet the known severity warrants prompt remediation.

Generated by OpenCVE AI on April 14, 2026 at 01:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update ImageMagick to 7.1.2‑19 or later
  • For 6.x users, upgrade to at least 6.9.13‑44
  • If an immediate update is not possible, avoid parsing untrusted XML files with Magick

Generated by OpenCVE AI on April 14, 2026 at 01:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4559-1 imagemagick security update
Debian DSA Debian DSA DSA-6240-1 imagemagick security update
Debian DSA Debian DSA DSA-6245-1 imagemagick security update
Github GHSA Github GHSA GHSA-cr67-pvmx-2pp2 ImageMagick has a heap-Buffer-Overflow write of a single zero byte when parsing xml.
History

Fri, 17 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:imagemagick:imagemagick:*:*:*:*:*:*:*:*

Thu, 16 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 14 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Imagemagick
Imagemagick imagemagick
Vendors & Products Imagemagick
Imagemagick imagemagick

Tue, 14 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-805
References
Metrics threat_severity

None

 threat_severity

Moderate

Mon, 13 Apr 2026 21:00:00 +0000

Type Values Removed Values Added
Description ImageMagick is free and open-source software used for editing and manipulating digital images. In versions below 7.1.2-189 and 6.9.13-44, when `Magick` parses an XML file it is possible that a single zero byte is written out of the bounds. This issue has been fixed in versions 6.9.13-44 and 7.1.2-19.
Title ImageMagick: Heap BufferOverflow write of single zero byte when parsing XML
Weaknesses CWE-122
CWE-191
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

Subscriptions

Imagemagick Imagemagick
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-16T13:26:40.513Z

Reserved: 2026-03-24T15:41:47.490Z

Link: CVE-2026-33899

cve-icon Vulnrichment

Updated: 2026-04-16T13:26:19.443Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-13T21:16:25.170

Modified: 2026-04-17T21:20:26.970

Link: CVE-2026-33899

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-13T20:46:43Z

Links: CVE-2026-33899 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:33:16Z

Weaknesses