Description
ImageMagick is free and open-source software used for editing and manipulating digital images. In versions below both 7.1.2-19 and 6.9.13-44, a heap buffer overflow occurs in the MVG decoder that could result in an out of bounds write when processing a crafted image. This issue has been fixed in versions 6.9.13-44 and 7.1.2-19.
Published: 2026-04-13
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Heap Buffer Overflow leading to potential memory corruption
Action: Immediate Patch
AI Analysis

Impact

A heap buffer overflow exists in the MVG decoder of ImageMagick that can be triggered by processing a specially crafted MVG file. The overflow causes an out‑of‑bounds write on the heap, which may corrupt adjacent memory. While the vulnerability description does not confirm arbitrary code execution, the corruption of memory could allow an attacker to compromise the integrity of the application or potentially execute malicious code if the corrupted data is interpreted as executable instructions.

Affected Systems

All releases of ImageMagick older than 7.1.2‑19 on the 7.x branch and older than 6.9.13‑44 on the 6.x branch are affected. Systems that depend on ImageMagick for processing user‑supplied images—such as web servers, content management systems, media conversion tools, or local desktop utilities—could be vulnerable if they handle an MVG file from an untrusted source.

Risk and Exploitability

The vulnerability carries a high severity score of 7.5 on the standardized scale. It is not listed in the known exploited vulnerabilities catalog, and recent exploit probability data are unavailable. The most likely attack path involves an attacker supplying a crafted MVG image to an application that accepts external image uploads or processes images from external sources. Successful exploitation could lead to memory corruption, potentially allowing further compromise of the system.

Generated by OpenCVE AI on April 13, 2026 at 23:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade ImageMagick to version 6.9.13‑44 or newer in the 6.x branch, or to version 7.1.2‑19 or newer in the 7.x branch.
  • Verify that the patched version is active on all affected systems and that no older binaries remain in use.

Generated by OpenCVE AI on April 13, 2026 at 23:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4559-1 imagemagick security update
Debian DSA Debian DSA DSA-6240-1 imagemagick security update
Debian DSA Debian DSA DSA-6245-1 imagemagick security update
Github GHSA Github GHSA GHSA-x9h5-r9v2-vcww ImageMagick has a heap Buffer Overflow in ImageMagick MVG decoder
History

Fri, 17 Apr 2026 21:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:imagemagick:imagemagick:*:*:*:*:*:*:*:*

Tue, 14 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Imagemagick
Imagemagick imagemagick
Vendors & Products Imagemagick
Imagemagick imagemagick

Tue, 14 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 14 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Important

Mon, 13 Apr 2026 21:00:00 +0000

Type Values Removed Values Added
Description ImageMagick is free and open-source software used for editing and manipulating digital images. In versions below both 7.1.2-19 and 6.9.13-44, a heap buffer overflow occurs in the MVG decoder that could result in an out of bounds write when processing a crafted image. This issue has been fixed in versions 6.9.13-44 and 7.1.2-19.
Title ImageMagick has a Heap Buffer Overflow via MVG decoder
Weaknesses CWE-122
CWE-787
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Imagemagick Imagemagick
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-14T13:51:00.488Z

Reserved: 2026-03-24T15:41:47.490Z

Link: CVE-2026-33901

cve-icon Vulnrichment

Updated: 2026-04-14T13:50:56.545Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-13T21:16:25.497

Modified: 2026-04-17T20:46:41.380

Link: CVE-2026-33901

cve-icon Redhat

Severity : Important

Publid Date: 2026-04-13T20:56:12Z

Links: CVE-2026-33901 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:33:14Z

Weaknesses