Listen to this Post
The CVE-2026-33902 vulnerability is a stack overflow issue located in ImageMagick’s FX expression parser. The parser fails to implement any recursion depth limits, allowing an attacker to craft a deeply nested FX expression. When this malicious expression is processed, the recursive function calls cause the program’s call stack to overflow. This uncontrolled recursion (CWE-674) leads to the process crashing immediately, resulting in a denial of service. The vulnerability exists in all versions below 7.1.2-19 for the 7.x branch and below 6.9.13-44 for the 6.x branch. The attack requires local access and user interaction, such as tricking a user into processing a malicious image or command. The issue has been patched in the mentioned versions. The CVSS 3.1 base score is 5.5 (Medium), with the vector string AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H. The patch was introduced in Magick.NET 14.12.0 to address the vulnerability.
dailycve form is:
Platform: ImageMagick
Version: <6.9.13-44,<7.1.2-19
Vulnerability : Uncontrolled Recursion
Severity: 5.5 MEDIUM
date: 2026-04-13
Prediction: 2026-04-13
What Undercode Say:
To test for the vulnerability, one can use the `identify` command with a deeply nested FX expression.
Simulate the crash with a deeply nested expression identify -format '%[fx: t = 0; t = (t) + (t) + ... ; ... ]' null:
A proof-of-concept could involve an MVG file with a recursive fx operation.
Craft a recursive MVG file (concept) echo 'push graphic-context' > poc.mvg echo 'fx "t = 0; for(x=0; x<10000; x++) t = t + 1;"' >> poc.mvg echo 'pop graphic-context' >> poc.mvg convert poc.mvg out.png
Exploit:
An attacker exploits this vulnerability by providing a deeply nested FX expression to the ImageMagick parser. This can be done through a specially crafted MVG file or a command-line argument. As there is no recursion depth check, the stack eventually overflows, causing the application to crash.
Protection from this CVE:
The primary protection is to upgrade ImageMagick to version 6.9.13-44 or 7.1.2-19, or Magick.NET to 14.12.0. If upgrading is not possible, restrict access to ImageMagick processing services and sanitize FX expression inputs to limit nesting depth.
Impact:
The impact is a denial of service due to process termination. There is no confidentiality or integrity impact. The vulnerability is rated as moderate severity.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

