CVE-2026-33901
Published: 13 April 2026
Summary
CVE-2026-33901 is a high-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Imagemagick Imagemagick. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 16.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the heap buffer overflow in ImageMagick's MVG decoder by applying patches to versions 6.9.13-44 or 7.1.2-19.
Implements memory protections like address space randomization and heap hardening to mitigate exploitation of the out-of-bounds write.
Validates image inputs prior to processing by ImageMagick to reject crafted MVG files that trigger the buffer overflow.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated network exploitation of the heap buffer overflow in ImageMagick via crafted image input to a public-facing instance enables T1190; the resulting process crash/memory corruption directly facilitates T1499.004 for denial of service.
NVD Description
ImageMagick is free and open-source software used for editing and manipulating digital images. In versions below both 7.1.2-19 and 6.9.13-44, a heap buffer overflow occurs in the MVG decoder that could result in an out of bounds write when processing…
more
a crafted image. This issue has been fixed in versions 6.9.13-44 and 7.1.2-19.
Deeper analysisAI
CVE-2026-33901 is a heap buffer overflow vulnerability in the MVG decoder of ImageMagick, a free and open-source software suite for editing and manipulating digital images. It affects all versions below 7.1.2-19 for the 7.x branch and below 6.9.13-44 for the 6.x branch, potentially leading to an out-of-bounds write when processing a specially crafted image file. The flaw is classified under CWE-122 (Heap-based Buffer Overflow) and CWE-787 (Out-of-bounds Write).
A remote, unauthenticated attacker can exploit this vulnerability over the network with low attack complexity and no user interaction required, as indicated by its CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). By supplying a malicious image to an affected ImageMagick instance, the attacker can trigger the buffer overflow, resulting in high-impact denial of service through process crash or memory corruption, though no direct confidentiality or integrity impacts are scored.
Mitigation is available through patches released in ImageMagick versions 6.9.13-44 and 7.1.2-19. The official GitHub security advisory (GHSA-x9h5-r9v2-vcww) and the fixing commit (4c72003e9e54a4ebaa938d239e75f5d285527ebe) detail the resolution. Users of related libraries, such as Magick.NET, should update to version 14.12.0 or later, which incorporates the fix. Security practitioners are advised to upgrade immediately and validate image inputs where possible.
Details
- CWE(s)