Cyber Resilience

CVE-2026-33901

High

Published: 13 April 2026

Published
13 April 2026
Modified
17 April 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0002 5.3th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-33901 is a high-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Imagemagick Imagemagick. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 5.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-33901 is a heap buffer overflow vulnerability in the MVG decoder of ImageMagick, a free and open-source software suite for editing and manipulating digital images. It affects all versions below 7.1.2-19 for the 7.x branch and below 6.9.13-44 for the 6.x branch, potentially leading to an out-of-bounds write when processing a specially crafted image file. The flaw is classified under CWE-122 (Heap-based Buffer Overflow) and CWE-787 (Out-of-bounds Write).

A remote, unauthenticated attacker can exploit this vulnerability over the network with low attack complexity and no user interaction required, as indicated by its CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). By supplying a malicious image to an affected ImageMagick instance, the attacker can trigger the buffer overflow, resulting in high-impact denial of service through process crash or memory corruption, though no direct confidentiality or integrity impacts are scored.

Mitigation is available through patches released in ImageMagick versions 6.9.13-44 and 7.1.2-19. The official GitHub security advisory (GHSA-x9h5-r9v2-vcww) and the fixing commit (4c72003e9e54a4ebaa938d239e75f5d285527ebe) detail the resolution. Users of related libraries, such as Magick.NET, should update to version 14.12.0 or later, which incorporates the fix. Security practitioners are advised to upgrade immediately and validate image inputs where possible.

EU & UK References

Vulnerability details

ImageMagick is free and open-source software used for editing and manipulating digital images. In versions below both 7.1.2-19 and 6.9.13-44, a heap buffer overflow occurs in the MVG decoder that could result in an out of bounds write when processing…

more

a crafted image. This issue has been fixed in versions 6.9.13-44 and 7.1.2-19.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Remote unauthenticated network exploitation of the heap buffer overflow in ImageMagick via crafted image input to a public-facing instance enables T1190; the resulting process crash/memory corruption directly facilitates T1499.004 for denial of service.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-32636Same product: Imagemagick Imagemagick
CVE-2026-25986Same product: Imagemagick Imagemagick
CVE-2026-25897Same product: Imagemagick Imagemagick
CVE-2026-25968Same product: Imagemagick Imagemagick
CVE-2026-25967Same product: Imagemagick Imagemagick
CVE-2026-28693Same product: Imagemagick Imagemagick
CVE-2026-26284Same product: Imagemagick Imagemagick
CVE-2026-25969Same product: Imagemagick Imagemagick
CVE-2026-25983Same product: Imagemagick Imagemagick
CVE-2026-33900Same product: Imagemagick Imagemagick

Affected Assets

imagemagick
imagemagick
≤ 6.9.13-44 · 7.0.0-0 — 7.1.2-19

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the heap buffer overflow in ImageMagick's MVG decoder by applying patches to versions 6.9.13-44 or 7.1.2-19.

prevent

Implements memory protections like address space randomization and heap hardening to mitigate exploitation of the out-of-bounds write.

prevent

Validates image inputs prior to processing by ImageMagick to reject crafted MVG files that trigger the buffer overflow.

References