Description
ImageMagick is free and open-source software used for editing and manipulating digital images. In versions below both 7.1.2-19 and 6.9.13-44, Magick frees the memory of the XML tree via the `DestroyXMLTree()` function; however, this process is executed recursively with no depth limit imposed. When Magick processes an XML file with deeply nested structures, it will exhaust the stack memory, resulting in a Denial of Service (DoS) attack. This issue has been fixed in versions 6.9.13-44 and 7.1.2-19.
Published: 2026-04-13
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Patch Now
AI Analysis

Impact

ImageMagick frees the memory of the XML tree through the DestroyXMLTree() function without imposing a depth limit on the recursive cleanup. When an XML document with deeply nested structures is processed, the stack is exhausted, causing the application to terminate. The primary consequence is a denial of service that can prevent the affected software from processing any further images. The weakness is related to uncontrollable recursion and memory exhaustion.

Affected Systems

ImageMagick installations that run versions earlier than 7.1.2‑19 and 6.9.13‑44 are affected. The vulnerability exists in the core ImageMagick product and its .NET bindings such as Magick.NET. Any instance that processes XML input from untrusted sources using these versions is at risk.

Risk and Exploitability

The CVSS score of 7.5 places this issue in the high‑severity range, indicating a significant impact if exploited. While no exploit has been reported in the CISA KEV catalog and the EPSS score is not available, the attack vector is inferred: an attacker can trigger the denial of service by delivering a specially crafted XML file to any ImageMagick instance that accepts untrusted input. The vulnerability is exploitable on a local or remote basis if the ImageMagick engine is invoked by a service exposed to external users.

Generated by OpenCVE AI on April 14, 2026 at 01:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade ImageMagick to version 7.1.2‑19 or later, or 6.9.13‑44 or later.
  • Check that the update has been applied to all binaries, including compiled binaries in environments such as Magick.NET.
  • If an upgrade is not immediately possible, validate or sanitize XML input to limit nesting depth before passing it to ImageMagick.
  • Limit the exposure of services that use ImageMagick to external input, or isolate them behind a firewall to reduce attack surface.

Generated by OpenCVE AI on April 14, 2026 at 01:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-fwvm-ggf6-2p4x ImageMagick has a Stack Overflow in DestroyXMLTree()
History

Tue, 14 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 14 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Imagemagick
Imagemagick imagemagick
Vendors & Products Imagemagick
Imagemagick imagemagick

Tue, 14 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-776
References
Metrics threat_severity

None

 threat_severity

Important

Mon, 13 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
Description ImageMagick is free and open-source software used for editing and manipulating digital images. In versions below both 7.1.2-19 and 6.9.13-44, Magick frees the memory of the XML tree via the `DestroyXMLTree()` function; however, this process is executed recursively with no depth limit imposed. When Magick processes an XML file with deeply nested structures, it will exhaust the stack memory, resulting in a Denial of Service (DoS) attack. This issue has been fixed in versions 6.9.13-44 and 7.1.2-19.
Title ImageMagick is vulnerable to Stack Overflow in DestroyXMLTree()
Weaknesses CWE-674
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Imagemagick Imagemagick
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-14T16:28:36.167Z

Reserved: 2026-03-24T15:41:47.491Z

Link: CVE-2026-33908

cve-icon Vulnrichment

Updated: 2026-04-14T15:29:57.180Z

cve-icon NVD

Status : Received

Published: 2026-04-13T22:16:28.997

Modified: 2026-04-13T22:16:28.997

Link: CVE-2026-33908

cve-icon Redhat

Severity : Important

Publid Date: 2026-04-13T21:06:42Z

Links: CVE-2026-33908 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:33:10Z

Weaknesses