Skip to main content

Red Hat CVE-2026-33535

| EUVDEUVD-2026-16365 MEDIUM
Out-of-bounds Write (CWE-787)
2026-03-26 https://github.com/ImageMagick/ImageMagick GHSA-mw3m-pqr2-qv7c
4.0
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
4.0 MEDIUM
AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
SUSE
5.5 MEDIUM
AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Red Hat
4.0 LOW
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 26, 2026 - 17:30 euvd
EUVD-2026-16365
Analysis Generated
Mar 26, 2026 - 17:30 vuln.today
CVE Published
Mar 26, 2026 - 17:17 nvd
MEDIUM 4.0

DescriptionGitHub Advisory

An out-of-bounds write of a zero byte exists in the X11 display interaction path that could lead to a crash.

AnalysisAI

X11 display interaction path contains an out-of-bounds write vulnerability that allows local attackers to crash affected applications through a single zero byte write. The medium-severity flaw (CVSS 4.0) requires no privileges or user interaction to trigger a denial of service condition. No patch is currently available for this vulnerability.

Technical ContextAI

The vulnerability resides in ImageMagick's X11 display handling subsystem, specifically an out-of-bounds write of a single null byte (CWE-787: Out-of-bounds Write). This memory corruption occurs during X11 display interaction, a protocol used for graphical rendering on Unix-like systems. The affected products include ImageMagick itself and its .NET wrapper Magick.NET (pkg:nuget/magick.net-* family), which includes variants for quantum depth (q16, q16-hdri) and parallel processing (openmp) across multiple CPU architectures. The null byte write suggests a boundary condition error in buffer management or string handling within the X11 rendering pipeline, where an off-by-one error or improper bounds checking allows writing past allocated memory.

RemediationAI

Upgrade ImageMagick to version 6.9.13-43 or later (legacy branch) or version 7.1.2-18 or later (current branch). For .NET environments, update all affected Magick.NET NuGet packages to patched versions corresponding to these ImageMagick releases. Consult the vendor security advisory at https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-mw3m-pqr2-qv7c for specific package versions. As an interim mitigation for systems with untrusted local users, restrict direct access to ImageMagick processing pipelines via file system permissions, containerization, or process isolation, and disable X11 display features if not required for the application workflow.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 SUSE Linux Enterprise High Performance Computing 15 SP7 SUSE Linux Enterprise Server 15 SP7 SUSE Linux Enterprise Server for SAP Applications 15 SP7 Fixed
SUSE Linux Enterprise Module for Desktop Applications 15 SP7 Fixed
SUSE Linux Enterprise Module for Development Tools 15 SP7 Fixed
SUSE Linux Enterprise Server 12 SP5-LTSS Fixed
SUSE Linux Enterprise Server 15 SP6-LTSS Fixed

Share

CVE-2026-33535 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy