ImageMagick, Stack Overflow, CVE-2026-33902 (Moderate)

Listen to this Post

The CVE-2026-33902 vulnerability is a stack overflow issue located in ImageMagick’s FX expression parser. The parser fails to implement any recursion depth limits, allowing an attacker to craft a deeply nested FX expression. When this malicious expression is processed, the recursive function calls cause the program’s call stack to overflow. This uncontrolled recursion (CWE-674) leads to the process crashing immediately, resulting in a denial of service. The vulnerability exists in all versions below 7.1.2-19 for the 7.x branch and below 6.9.13-44 for the 6.x branch. The attack requires local access and user interaction, such as tricking a user into processing a malicious image or command. The issue has been patched in the mentioned versions. The CVSS 3.1 base score is 5.5 (Medium), with the vector string AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H. The patch was introduced in Magick.NET 14.12.0 to address the vulnerability.

dailycve form is:

Platform: ImageMagick
Version: <6.9.13-44,<7.1.2-19
Vulnerability : Uncontrolled Recursion
Severity: 5.5 MEDIUM
date: 2026-04-13

Prediction: 2026-04-13

What Undercode Say:

To test for the vulnerability, one can use the `identify` command with a deeply nested FX expression.

Simulate the crash with a deeply nested expression
identify -format '%[fx: t = 0; t = (t) + (t) + ... ; ... ]' null:

A proof-of-concept could involve an MVG file with a recursive fx operation.

Craft a recursive MVG file (concept)
echo 'push graphic-context' > poc.mvg
echo 'fx "t = 0; for(x=0; x<10000; x++) t = t + 1;"' >> poc.mvg
echo 'pop graphic-context' >> poc.mvg
convert poc.mvg out.png

Exploit:

An attacker exploits this vulnerability by providing a deeply nested FX expression to the ImageMagick parser. This can be done through a specially crafted MVG file or a command-line argument. As there is no recursion depth check, the stack eventually overflows, causing the application to crash.

Protection from this CVE:

The primary protection is to upgrade ImageMagick to version 6.9.13-44 or 7.1.2-19, or Magick.NET to 14.12.0. If upgrading is not possible, restrict access to ImageMagick processing services and sanitize FX expression inputs to limit nesting depth.

Impact:

The impact is a denial of service due to process termination. There is no confidentiality or integrity impact. The vulnerability is rated as moderate severity.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top