Skip to main content

Imagemagick EUVDEUVD-2026-22110

| CVE-2026-33908 HIGH
Uncontrolled Recursion (CWE-674)
2026-04-13 GitHub_M GHSA-fwvm-ggf6-2p4x
7.5
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
SUSE
HIGH
qualitative
Red Hat
7.5 HIGH
qualitative

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

6
Re-analysis Queued
Apr 17, 2026 - 15:37 vuln.today
cvss_changed
Analysis Generated
Apr 15, 2026 - 12:35 vuln.today
Patch released
Apr 14, 2026 - 02:30 nvd
Patch available
EUVD ID Assigned
Apr 13, 2026 - 21:30 euvd
EUVD-2026-22110
Analysis Generated
Apr 13, 2026 - 21:30 vuln.today
CVE Published
Apr 13, 2026 - 21:06 nvd
HIGH 7.5

DescriptionCVE.org

ImageMagick is free and open-source software used for editing and manipulating digital images. In versions below both 7.1.2-19 and 6.9.13-44, Magick frees the memory of the XML tree via the DestroyXMLTree() function; however, this process is executed recursively with no depth limit imposed. When Magick processes an XML file with deeply nested structures, it will exhaust the stack memory, resulting in a Denial of Service (DoS) attack. This issue has been fixed in versions 6.9.13-44 and 7.1.2-19.

AnalysisAI

Stack exhaustion in ImageMagick's XML tree parser allows remote unauthenticated attackers to trigger denial-of-service conditions by submitting specially crafted XML files with deeply nested structures. Affects all versions below 6.9.13-44 and 7.1.2-19 across multiple platforms including the Magick.NET wrapper. EPSS score of 0.04% (12th percentile) indicates low observed exploitation probability, though the network-accessible attack vector (AV:N) and lack of authentication requirements (PR:N) present theoretical risk for internet-facing deployments processing untrusted XML input.

Technical ContextAI

ImageMagick processes various image formats including those embedding XML metadata (SVG, MVG, MSL). The vulnerability resides in the DestroyXMLTree() cleanup function in the XML parsing library, which implements recursive memory deallocation without stack depth guards. CWE-674 (Uncontrolled Recursion) manifests when the parser traverses deeply nested XML structures during cleanup operations. Each recursion level consumes stack frames until the process exhausts available stack memory, typically 8MB on Linux systems or 1MB on Windows, causing abrupt termination. This affects both the C/C++ ImageMagick core (CPE cpe:2.3:a:imagemagick:imagemagick) and downstream projects like Magick.NET that wrap the native library.

RemediationAI

Upgrade to ImageMagick 6.9.13-44 or later for 6.x deployments, or 7.1.2-19 or later for 7.x deployments. The fix implemented in commit ccdc01180276aa2cb3d4a32a611aa4f417061cd8 adds recursion depth limits to DestroyXMLTree() to prevent stack exhaustion. For Magick.NET users, upgrade to version 14.12.0 or later which incorporates the patched native library (https://github.com/dlemstra/Magick.NET/releases/tag/14.12.0). As a temporary workaround for environments unable to immediately patch, implement application-layer XML input validation to reject files with excessive nesting depth (recommend maximum 100-200 levels), disable processing of XML-based image formats (SVG, MVG, MSL) via policy.xml configuration if not required, or isolate ImageMagick processing in resource-limited containers with stack size restrictions to prevent broader system impact.

CVE-2017-15277 MEDIUM POC
6.5 Oct 12

ReadGIFImage in coders/gif.c in ImageMagick 7.0.6-1 and GraphicsMagick 1.3.26 leaves the palette uninitialized when proc

CVE-2016-5841 CRITICAL POC
9.8 Dec 13

Integer overflow in MagickCore/profile.c in ImageMagick before 7.0.2-1 allows remote attackers to cause a denial of serv

CVE-2016-3717 MEDIUM POC
5.5 May 05

The LABEL coder in ImageMagick before 6.9.3-10 and 7.x before 7.0.1-1 allows remote attackers to read arbitrary files vi

CVE-2016-5118 CRITICAL
9.8 Jun 10

The OpenBlob function in blob.c in GraphicsMagick before 1.3.24 and ImageMagick allows remote attackers to execute arbit

CVE-2016-5689 CRITICAL POC
9.8 Dec 13

The DCM reader in ImageMagick before 6.9.4-5 and 7.x before 7.0.1-7 allows remote attackers to have unspecified impact b

CVE-2016-5690 CRITICAL POC
9.8 Dec 13

The ReadDCMImage function in DCM reader in ImageMagick before 6.9.4-5 and 7.x before 7.0.1-7 allows remote attackers to

CVE-2016-5691 CRITICAL POC
9.8 Dec 13

The DCM reader in ImageMagick before 6.9.4-5 and 7.x before 7.0.1-7 allows remote attackers to have unspecified impact b

CVE-2017-14138 CRITICAL POC
9.8 Sep 04

ImageMagick 7.0.6-5 has a memory leak vulnerability in ReadWEBPImage in coders/webp.c because memory is not freed in cer

CVE-2026-23876 CRITICAL POC
9.8 Jan 20

Heap buffer overflow in ImageMagick's XBM image decoder (ReadXBMImage) lets remote attackers write attacker-controlled d

CVE-2023-34152 CRITICAL POC
9.8 May 30

A vulnerability was found in ImageMagick. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable

CVE-2019-19952 CRITICAL POC
9.8 Dec 24

In ImageMagick 7.0.9-7 Q16, there is a use-after-free in the function MngInfoDiscardObject of coders/png.c, related to R

CVE-2018-14551 CRITICAL POC
9.8 Jul 23

The ReadMATImageV4 function in coders/mat.c in ImageMagick 7.0.8-7 uses an uninitialized variable, leading to memory cor

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Module for Desktop Applications 15 SP7 Fixed
SUSE Linux Enterprise Module for Development Tools 15 SP7 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP7 Fixed

Share

EUVD-2026-22110 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy