CVE-2026-33908
Stack Exhaustion DoS in ImageMagick XML Parsing
Publication date: 2026-04-13
Last updated on: 2026-04-17
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| imagemagick | imagemagick | to 6.9.13-44 (exc) |
| imagemagick | imagemagick | From 7.0.0-0 (inc) to 7.1.2-19 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-674 | The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in ImageMagick versions below 7.1.2-19 and 6.9.13-44. The issue occurs because the function DestroyXMLTree() frees the memory of an XML tree recursively without any limit on the depth of recursion. When processing an XML file with deeply nested structures, this can cause the stack memory to be exhausted, leading to a Denial of Service (DoS) condition.
How can this vulnerability impact me? :
The vulnerability can cause a Denial of Service (DoS) attack by exhausting the stack memory when processing specially crafted XML files with deeply nested structures. This means that an attacker could cause the ImageMagick software to crash or become unresponsive, potentially disrupting services or applications that rely on it.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade ImageMagick to version 7.1.2-19 or later, or version 6.9.13-44 or later, where the issue has been fixed.