Cyber Resilience

CVE-2026-33908

HighDDoS

Published: 13 April 2026

Published
13 April 2026
Modified
17 April 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0002 5.8th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-33908 is a high-severity Uncontrolled Recursion (CWE-674) vulnerability in Imagemagick Imagemagick. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 5.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-33908 is a stack exhaustion vulnerability in ImageMagick, an open-source software suite for image editing and manipulation. In versions prior to 7.1.2-19 and 6.9.13-44, the Magick component processes XML files by recursively freeing memory in the XML tree via the DestroyXMLTree() function without imposing a depth limit. This allows deeply nested XML structures to exhaust stack memory, leading to a denial-of-service condition. The issue is classified under CWE-674 and carries a CVSS v3.1 base score of 7.5.

The vulnerability can be exploited by any remote attacker with network access, requiring low attack complexity, no privileges, and no user interaction. An attacker simply needs to supply a crafted image file containing deeply nested XML structures to an ImageMagick instance for processing, triggering recursive memory deallocation that overflows the stack and crashes the application, resulting in high-impact availability disruption with no confidentiality or integrity effects.

Mitigation is available through upgrades to ImageMagick versions 6.9.13-44 or 7.1.2-19, where the issue has been fixed. Official resources include the GitHub security advisory at GHSA-fwvm-ggf6-2p4x, the patching commit ccdc01180276aa2cb3d4a32a611aa4f417061cd8, and the release page for 7.1.2-19. A related update appears in Magick.NET version 14.12.0.

EU & UK References

Vulnerability details

ImageMagick is free and open-source software used for editing and manipulating digital images. In versions below both 7.1.2-19 and 6.9.13-44, Magick frees the memory of the XML tree via the `DestroyXMLTree()` function; however, this process is executed recursively with no…

more

depth limit imposed. When Magick processes an XML file with deeply nested structures, it will exhaust the stack memory, resulting in a Denial of Service (DoS) attack. This issue has been fixed in versions 6.9.13-44 and 7.1.2-19.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

The vulnerability is a stack exhaustion DoS in ImageMagick triggered by crafted input (deeply nested XML in image files), directly enabling application or system exploitation to crash the process and disrupt availability.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-25971Same product: Imagemagick Imagemagick
CVE-2026-30883Same product: Imagemagick Imagemagick
CVE-2026-26283Same product: Imagemagick Imagemagick
CVE-2026-25796Same product: Imagemagick Imagemagick
CVE-2026-22770Same product: Imagemagick Imagemagick
CVE-2026-25989Same product: Imagemagick Imagemagick
CVE-2026-28691Same product: Imagemagick Imagemagick
CVE-2026-25795Same product: Imagemagick Imagemagick
CVE-2026-30931Same product: Imagemagick Imagemagick
CVE-2026-25799Same product: Imagemagick Imagemagick

Affected Assets

imagemagick
imagemagick
≤ 6.9.13-44 · 7.0.0-0 — 7.1.2-19

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mandates timely flaw remediation by patching ImageMagick to fixed versions 6.9.13-44 or 7.1.2-19, eliminating the stack exhaustion vulnerability.

prevent

Provides comprehensive denial-of-service protections that mitigate resource exhaustion attacks like recursive stack overflow from deeply nested XML in crafted images.

prevent

Requires validation of image inputs containing XML structures to detect and reject deeply nested content that triggers unbounded recursion in DestroyXMLTree().

References