ImageMagick, Stack Overflow, CVE-2026-33902 (Moderate)

Listen to this Post

The CVE-2026-33902 vulnerability is a stack overflow in the FX expression parser of ImageMagick versions below 7.1.2-19 and 6.9.13-44. The FX parser is a recursive descent parser that evaluates mathematical expressions and image processing functions provided by the user.
The vulnerability exists due to uncontrolled recursion depth during the parsing of deeply nested expressions. When a user provides a specially crafted image file or a direct command-line expression with excessive nesting (e.g., thousands of nested parentheses or operators), the parser recursively calls its evaluation functions for each nesting level.
Each recursive call consumes additional space on the call stack. Since there is no bound on the allowed recursion depth, an attacker can force the recursion to continue until the limited stack memory is exhausted. Once the stack pointer exceeds the allocated stack segment, the program triggers a segmentation fault, leading to an immediate crash of the ImageMagick process.
The crash results in a denial-of-service (DoS) condition. The issue can be exploited remotely if an application processes user-supplied images without proper input validation. User interaction is required to load the malicious file or execute the crafted command, but no special privileges are needed.
The fix, implemented in commit `d3c0a374` (ImageMagick/ImageMagick), introduces a depth counter and explicitly checks if the parsing depth exceeds MagickMaxRecursionDepth. If the depth limit is reached, the parser returns an error instead of recursing further, preventing the stack overflow.

dailycve form:
Platform: ImageMagick
Version: <6.9.13-44/<7.1.2-19
Vulnerability: Uncontrolled Recursion
Severity: Moderate
date: Apr 13 2026
Prediction: Apr 20 2026

Analytics under What Undercode Say:

To detect potential exploitation attempts, monitor logs for segmentation faults (exit code 139) or the error message `”Expression too deeply nested”` after updating to a patched version. The following bash command can be used to test a system’s exposure by attempting to parse a deeply nested expression:

Test for vulnerability (will crash unpatched versions)
convert -size 100x100 xc: -fx 'if(1,if(1,if(1,if(1,if(1,if(1,if(1,if(1,if(1,if(1,1))))))))))' info:
Check ImageMagick version
convert --version | head -n1
Verify if patch is applied (look for depth limit in source or error message)
convert -debug all -fx 'if(1,if(1,1))' null: 2>&1 | grep -i depth

Exploit:

No public exploit is currently available for CVE-2026-33902. However, an attacker can craft an SVG, MVG, or directly invoke `convert` with an excessively nested FX expression. For example, creating an MVG file with thousands of nested push/pop operations or a script that generates a deeply nested ternary expression can trigger the overflow on unpatched systems. The primary requirement is that the target application must invoke the FX parser on untrusted input.

Protection from this CVE

  • Upgrade ImageMagick to version 7.1.2-19 or 6.9.13-44, or any subsequent release.
  • For Magick.NET users, upgrade to version 14.12.0 or later, as all affected Magick.NET packages are fixed in this release.
  • If an immediate upgrade is not possible, avoid processing untrusted images with FX expressions. Disable or sandbox the FX parser if feasible.
  • Implement a Web Application Firewall (WAF) or input validation to reject deeply nested expressions.
  • Monitor for unusual application crashes or high CPU usage that may indicate attempted exploitation.

Impact:

Successful exploitation results in a denial of service (DoS), causing the ImageMagick process to crash. While the CVSS score is 5.5 (Medium), the impact is limited to availability as there is no evidence of remote code execution or privilege escalation. The vulnerability requires user interaction to process a malicious file, but can affect any service that relies on ImageMagick to handle user-supplied images, including web applications, content management systems, and batch processing pipelines.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top