Description
ImageMagick is free and open-source software used for editing and manipulating digital images. In versions below both 7.1.2-19 and 6.9.13-44, a stack overflow vulnerability in ImageMagick's FX expression parser allows an attacker to crash the process by providing a deeply nested expression. This issue has been fixed in versions 6.9.13-44 and 7.1.2-19.
Published: 2026-04-13
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Apply Patch
AI Analysis

Impact

The vulnerability originates from the FX expression parser in ImageMagick, which fails to enforce a recursion depth limit and therefore overflows the processor stack when handling a deeply nested expression. This results in the ImageMagick process terminating unexpectedly, causing a denial of service. The weakness is classified as a stack overflow and resource exhaustion, matching CWE‑674 and CWE‑770.

Affected Systems

ImageMagick, the image processing library. All releases earlier than 7.1.2‑19 and 6.9.13‑44 are affected.

Risk and Exploitability

The CVSS score of 5.5 indicates medium severity. No EPSS score is available and the vulnerability is not listed in CISA’s KEV catalog. An attacker must provide a malicious FX expression to a running ImageMagick instance; the resulting crash can interrupt services that rely on the library. The risk is elevated in environments where ImageMagick processes untrusted input, such as web servers or document conversion services.

Generated by OpenCVE AI on April 14, 2026 at 01:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade ImageMagick to version 7.1.2‑19 or later, or 6.9.13‑44 or later.

Generated by OpenCVE AI on April 14, 2026 at 01:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-f4qm-vj5j-9xpw ImageMagick has a Stack Overflow via Recursive FX Expression Parsing
History

Tue, 14 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Imagemagick
Imagemagick imagemagick
Vendors & Products Imagemagick
Imagemagick imagemagick

Tue, 14 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 14 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-770
References
Metrics threat_severity

None

 threat_severity

Moderate

Mon, 13 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
Description ImageMagick is free and open-source software used for editing and manipulating digital images. In versions below both 7.1.2-19 and 6.9.13-44, a stack overflow vulnerability in ImageMagick's FX expression parser allows an attacker to crash the process by providing a deeply nested expression. This issue has been fixed in versions 6.9.13-44 and 7.1.2-19.
Title ImageMagick: Stack Overflow via Recursive FX Expression Parsing
Weaknesses CWE-674
References
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}

Subscriptions

Imagemagick Imagemagick
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-14T15:51:26.551Z

Reserved: 2026-03-24T15:41:47.490Z

Link: CVE-2026-33902

cve-icon Vulnrichment

Updated: 2026-04-14T15:51:22.393Z

cve-icon NVD

Status : Received

Published: 2026-04-13T22:16:28.680

Modified: 2026-04-13T22:16:28.680

Link: CVE-2026-33902

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-13T20:59:47Z

Links: CVE-2026-33902 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:33:13Z

Weaknesses