CVE-2026-33900
Published: 13 April 2026
Summary
CVE-2026-33900 is a medium-severity Integer Overflow or Wraparound (CWE-190) vulnerability in Imagemagick Imagemagick. Its CVSS base score is 5.9 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 5.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mandates timely remediation of the integer truncation vulnerability in ImageMagick's viff encoder through patching to vulnerable 32-bit versions.
Requires vulnerability scanning to identify systems running affected 32-bit ImageMagick versions below 7.1.2-19 or 6.9.13-44.
Enforces validation of image inputs to block specially crafted VIFF files that trigger the integer truncation and heap overflow.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes a remote network exploit via crafted image input to ImageMagick causing application crash/DoS with no user interaction, directly enabling T1190 (Exploit Public-Facing Application) in services using the library and T1499.004 (Application or System Exploitation) for the resulting availability impact.
NVD Description
ImageMagick is free and open-source software used for editing and manipulating digital images. In versions below both 7.1.2-19 and 6.9.13-44, the viff encoder contains an integer truncation/wraparound issue on 32-bit builds that could trigger an out of bounds heap write,…
more
potentially causing a crash. This issue has been fixed in versions 6.9.13-44 and 7.1.2-19.
Deeper analysisAI
CVE-2026-33900 is an integer truncation/wraparound vulnerability (CWE-190) in the viff encoder of ImageMagick, a free and open-source software suite for editing and manipulating digital images. The flaw affects 32-bit builds of ImageMagick versions below 7.1.2-19 and 6.9.13-44, where it can trigger an out-of-bounds heap write, potentially leading to a crash. The vulnerability carries a CVSS v3.1 base score of 5.9 (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating medium severity primarily due to its availability impact.
A remote, unauthenticated attacker could exploit this vulnerability over the network by supplying a specially crafted image file that exercises the viff encoder on a vulnerable 32-bit ImageMagick installation. Exploitation requires high attack complexity, with no user interaction needed, but results solely in denial-of-service through application crashes via the heap overflow; no confidentiality or integrity impacts are possible.
ImageMagick has addressed the issue in versions 6.9.13-44 and 7.1.2-19, as detailed in the project's security advisory (GHSA-v67w-737x-v2c9) and corresponding GitHub commit (d27b840a61b322419a66d0d192ff56d52498148d). Security practitioners should update to these patched releases; a related update is available in Magick.NET version 14.12.0. The vulnerability was published on 2026-04-13.
Details
- CWE(s)