Description
ImageMagick is free and open-source software used for editing and manipulating digital images. In versions below both 7.1.2-19 and 6.9.13-44, the viff encoder contains an integer truncation/wraparound issue on 32-bit builds that could trigger an out of bounds heap write, potentially causing a crash. This issue has been fixed in versions 6.9.13-44 and 7.1.2-19.
Published: 2026-04-13
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Patch
AI Analysis

Impact

ImageMagick’s viff encoder on 32‑bit builds contains an integer overflow that can cause a wraparound in a heap allocation. When a crafted viff file is processed, the overflow produces an out‑of‑bounds write that corrupts heap memory, causing the ImageMagick process to crash. The resulting loss of service is the primary impact of this flaw.

Affected Systems

The issue affects all releases of ImageMagick older than 7.1.2‑19 and 6.9.13‑44 on 32‑bit platforms. It is limited to the viff encoder component and does not impact 64‑bit builds or later versions of the software.

Risk and Exploitability

With a CVSS score of 5.9, the vulnerability is considered moderate. No EPSS score is available, and it is not listed in the CISA KEV catalog, indicating limited known exploitation. Exploitation would require delivery of a specially crafted viff file to a system that processes untrusted images. The attack surface is therefore confined to environments that accept external image input, and the typical exploitation outcome is a crash rather than code execution or data theft.

Generated by OpenCVE AI on April 13, 2026 at 22:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Verify the current ImageMagick version and confirm it is below 6.9.13‑44 or 7.1.2‑19 on a 32‑bit system
  • Upgrade the library to ImageMagick 6.9.13‑44 or later, or to ImageMagick 7.1.2‑19 or later
  • If a version upgrade cannot be performed immediately, disable the viff encoder or restrict untrusted image input to trusted environments

Generated by OpenCVE AI on April 13, 2026 at 22:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-v67w-737x-v2c9 ImageMagick has a heap overflow caused by integer overflow/wraparound in viff encoder on 32-bit builds
History

Tue, 14 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 14 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Imagemagick
Imagemagick imagemagick
Vendors & Products Imagemagick
Imagemagick imagemagick

Tue, 14 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Mon, 13 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
Description ImageMagick is free and open-source software used for editing and manipulating digital images. In versions below both 7.1.2-189 and 6.9.13-44, the viff encoder contains an integer truncation/wraparound issue on 32-bit builds that could trigger an out of bounds heap write, potentially causing a crash. This issue has been fixed in versions 6.9.13-44 and 7.1.2-19. ImageMagick is free and open-source software used for editing and manipulating digital images. In versions below both 7.1.2-19 and 6.9.13-44, the viff encoder contains an integer truncation/wraparound issue on 32-bit builds that could trigger an out of bounds heap write, potentially causing a crash. This issue has been fixed in versions 6.9.13-44 and 7.1.2-19.

Mon, 13 Apr 2026 21:00:00 +0000

Type Values Removed Values Added
Description ImageMagick is free and open-source software used for editing and manipulating digital images. In versions below both 7.1.2-189 and 6.9.13-44, the viff encoder contains an integer truncation/wraparound issue on 32-bit builds that could trigger an out of bounds heap write, potentially causing a crash. This issue has been fixed in versions 6.9.13-44 and 7.1.2-19.
Title ImageMagick has a Heap overflow caused by integer overflow/wraparound in viff encoder on 32-bit builds
Weaknesses CWE-190
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Imagemagick Imagemagick
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-14T16:28:41.536Z

Reserved: 2026-03-24T15:41:47.490Z

Link: CVE-2026-33900

cve-icon Vulnrichment

Updated: 2026-04-14T15:29:36.577Z

cve-icon NVD

Status : Received

Published: 2026-04-13T21:16:25.333

Modified: 2026-04-13T22:16:28.567

Link: CVE-2026-33900

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-13T20:50:19Z

Links: CVE-2026-33900 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:33:15Z

Weaknesses