CVE-2026-33908
Published: 13 April 2026
Summary
CVE-2026-33908 is a high-severity Uncontrolled Recursion (CWE-674) vulnerability in Imagemagick Imagemagick. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 5.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mandates timely flaw remediation by patching ImageMagick to fixed versions 6.9.13-44 or 7.1.2-19, eliminating the stack exhaustion vulnerability.
Provides comprehensive denial-of-service protections that mitigate resource exhaustion attacks like recursive stack overflow from deeply nested XML in crafted images.
Requires validation of image inputs containing XML structures to detect and reject deeply nested content that triggers unbounded recursion in DestroyXMLTree().
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a stack exhaustion DoS in ImageMagick triggered by crafted input (deeply nested XML in image files), directly enabling application or system exploitation to crash the process and disrupt availability.
NVD Description
ImageMagick is free and open-source software used for editing and manipulating digital images. In versions below both 7.1.2-19 and 6.9.13-44, Magick frees the memory of the XML tree via the `DestroyXMLTree()` function; however, this process is executed recursively with no…
more
depth limit imposed. When Magick processes an XML file with deeply nested structures, it will exhaust the stack memory, resulting in a Denial of Service (DoS) attack. This issue has been fixed in versions 6.9.13-44 and 7.1.2-19.
Deeper analysisAI
CVE-2026-33908 is a stack exhaustion vulnerability in ImageMagick, an open-source software suite for image editing and manipulation. In versions prior to 7.1.2-19 and 6.9.13-44, the Magick component processes XML files by recursively freeing memory in the XML tree via the DestroyXMLTree() function without imposing a depth limit. This allows deeply nested XML structures to exhaust stack memory, leading to a denial-of-service condition. The issue is classified under CWE-674 and carries a CVSS v3.1 base score of 7.5.
The vulnerability can be exploited by any remote attacker with network access, requiring low attack complexity, no privileges, and no user interaction. An attacker simply needs to supply a crafted image file containing deeply nested XML structures to an ImageMagick instance for processing, triggering recursive memory deallocation that overflows the stack and crashes the application, resulting in high-impact availability disruption with no confidentiality or integrity effects.
Mitigation is available through upgrades to ImageMagick versions 6.9.13-44 or 7.1.2-19, where the issue has been fixed. Official resources include the GitHub security advisory at GHSA-fwvm-ggf6-2p4x, the patching commit ccdc01180276aa2cb3d4a32a611aa4f417061cd8, and the release page for 7.1.2-19. A related update appears in Magick.NET version 14.12.0.
Details
- CWE(s)