ImageMagick, Out-of-Bounds Read, CVE-2026-33905 (Moderate)

Listen to this Post

The `-sample` operation in ImageMagick is used to scale images by sampling pixels. A flaw exists in the logic that handles an arbitrary offset during this operation, specifically when the `sample:offset` define is supplied by a user. When processing a crafted image, a vulnerable function does not properly validate the provided offset value against the bounds of the pixel buffer. If an attacker supplies an offset that falls outside the intended memory region, the operation will attempt to read from an invalid memory address. This results in an out-of-bounds read (CWE-125). Because the `-sample` operation is triggered by processing an image, the attack vector is remote. The attacker must convince a user to open a specially crafted image file. The primary consequence is a crash, causing a denial of service (DoS) by terminating the application. The crash stems from the application attempting to access a memory location it does not own, leading to a segmentation fault. The vulnerability exists in all versions of ImageMagick below 7.1.2-19 and 6.9.13-44. The issue also affects all Magick.NET NuGet packages below version 14.12.0, as they wrap the vulnerable ImageMagick library. This was assigned a CVSS 3.1 base score of 5.5, with a vector of AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H. The out-of-bounds read occurs in the core C library and is not a .NET-specific issue. No public exploit has been made available as of the publication date.
Platform: ImageMagick, Magick.NET
Version: <7.1.2-19/14.12.0
Vulnerability : Out-of-bounds read
Severity: Medium (CVSS5.5)
date: Apr 13, 2026

Prediction: Patched Apr 13, 2026

What Undercode Say:

Analytics show the vulnerability resides in the pixel sampling logic. The following bash command demonstrates how a vulnerable system might be tested:

Identify installed ImageMagick version
identify -version | head -n1
Check if the system is vulnerable
if [[ $(identify -version | grep -oP '(?<=Version: ImageMagick )\S+') < "7.1.2-19" ]]; then
echo "Vulnerable to CVE-2026-33905"
else
echo "Patched against CVE-2026-33905"
fi
Simulate the vulnerable operation (PoC concept)
convert input.png -sample 50x50 -define sample:offset=999999999 output.png

Exploit:

An attacker can trigger this vulnerability by crafting an image and setting an excessively large `sample:offset` value during the `-sample` operation. When processed, the application attempts to read from that out-of-bounds address, leading to a crash. There is no known public exploit code, and the flaw does not allow for arbitrary code execution.

Protection from this CVE

The only complete protection is to update ImageMagick to version 7.1.2-19 or later, or Magick.NET to version 14.12.0 or later. Until patched, avoid using the `-sample` operation with any user-controlled `sample:offset` values. Implement strict input validation to reject files that specify a sample:offset. Use the `identify -version` command to check your current version.

Impact:

Successful exploitation results in a crash of the application, leading to a denial of service (DoS). This can cause loss of availability for any service that processes untrusted images using the vulnerable operation. The confidentiality and integrity of data remain unaffected as the flaw is a read operation and does not allow for code execution.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top