CVE-2026-33905
Published: 13 April 2026
Summary
CVE-2026-33905 is a medium-severity Out-of-bounds Read (CWE-125) vulnerability in Imagemagick Imagemagick. Its CVSS base score is 5.5 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious File (T1204.002); ranked at the 0.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mandates timely remediation of the out-of-bounds read flaw in ImageMagick by patching to fixed versions 6.9.13-44 or 7.1.2-19.
Supports identification of systems running vulnerable ImageMagick versions via scanning for CVE-2026-33905 to enable patching.
Deploys memory protections like address space randomization to mitigate unauthorized out-of-bounds reads that cause denial of service.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables exploitation via specially crafted image file requiring user interaction to process (T1204.002 Malicious File); results in application crash/DoS through out-of-bounds read (T1499.004 Application or System Exploitation).
NVD Description
ImageMagick is free and open-source software used for editing and manipulating digital images. In versions below both 7.1.2-19 and 6.9.13-44, the -sample operation has an out of bounds read when an specific offset is set through the `sample:offset` define that…
more
could lead to an out of bounds read. This issue has been fixed in versions 6.9.13-44 and 7.1.2-19.
Deeper analysisAI
CVE-2026-33905 is an out-of-bounds read vulnerability in ImageMagick, a free and open-source software suite for editing and manipulating digital images. The flaw affects the `-sample` operation in versions prior to 7.1.2-19 and 6.9.13-44, where a specific offset set via the `sample:offset` define triggers the issue. Rated at CVSS 5.5 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) and mapped to CWE-125 (Out-of-bounds Read), it was published on 2026-04-13.
A local attacker with no privileges can exploit this vulnerability by tricking a user into processing a specially crafted image file using ImageMagick's `-sample` operation with a malicious `sample:offset` define. This requires low-complexity attack steps and user interaction, such as opening the file in an application that invokes ImageMagick. Successful exploitation results in high-impact availability disruption, potentially causing application crashes or denial of service, with no confidentiality or integrity impacts.
ImageMagick advisories recommend updating to fixed versions 6.9.13-44 or 7.1.2-19, as detailed in the GitHub security advisory GHSA-pcvx-ph33-r5vv and the relevant commit cca607366fb38c2dde019a9088b8415ffba3a835. The release notes for 7.1.2-19 confirm the patch, and downstream projects like Magick.NET have addressed it in version 14.12.0.
Details
- CWE(s)