{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33902", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-24T15:41:47.490Z", "datePublished": "2026-04-13T20:59:47.120Z", "dateUpdated": "2026-04-14T15:51:26.551Z"}, "containers": {"cna": {"title": "ImageMagick: Stack Overflow via Recursive FX Expression Parsing", "problemTypes": [{"descriptions": [{"cweId": "CWE-674", "lang": "en", "description": "CWE-674: Uncontrolled Recursion", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-f4qm-vj5j-9xpw", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-f4qm-vj5j-9xpw"}, {"name": "https://github.com/ImageMagick/ImageMagick/commit/d3c0a37485314c5ccef72efb18f3847cd53868ba", "tags": ["x_refsource_MISC"], "url": "https://github.com/ImageMagick/ImageMagick/commit/d3c0a37485314c5ccef72efb18f3847cd53868ba"}, {"name": "https://github.com/dlemstra/Magick.NET/releases/tag/14.12.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/dlemstra/Magick.NET/releases/tag/14.12.0"}], "affected": [{"vendor": "ImageMagick", "product": "ImageMagick", "versions": [{"version": "< 7.1.2-19", "status": "affected"}, {"version": "< 6.9.13-44", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-13T20:59:47.120Z"}, "descriptions": [{"lang": "en", "value": "ImageMagick is free and open-source software used for editing and manipulating digital images. In versions below both 7.1.2-19 and 6.9.13-44, a stack overflow vulnerability in ImageMagick's FX expression parser allows an attacker to crash the process by providing a deeply nested expression. This issue has been fixed in versions 6.9.13-44 and 7.1.2-19."}], "source": {"advisory": "GHSA-f4qm-vj5j-9xpw", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-14T15:51:18.568616Z", "id": "CVE-2026-33902", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T15:51:26.551Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33902", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-14T15:51:18.568616Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T15:51:22.393Z"}}], "cna": {"title": "ImageMagick: Stack Overflow via Recursive FX Expression Parsing", "source": {"advisory": "GHSA-f4qm-vj5j-9xpw", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "ImageMagick", "product": "ImageMagick", "versions": [{"status": "affected", "version": "< 7.1.2-19"}, {"status": "affected", "version": "< 6.9.13-44"}]}], "references": [{"url": "https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-f4qm-vj5j-9xpw", "name": "https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-f4qm-vj5j-9xpw", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/ImageMagick/ImageMagick/commit/d3c0a37485314c5ccef72efb18f3847cd53868ba", "name": "https://github.com/ImageMagick/ImageMagick/commit/d3c0a37485314c5ccef72efb18f3847cd53868ba", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/dlemstra/Magick.NET/releases/tag/14.12.0", "name": "https://github.com/dlemstra/Magick.NET/releases/tag/14.12.0", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "ImageMagick is free and open-source software used for editing and manipulating digital images. In versions below both 7.1.2-19 and 6.9.13-44, a stack overflow vulnerability in ImageMagick's FX expression parser allows an attacker to crash the process by providing a deeply nested expression. This issue has been fixed in versions 6.9.13-44 and 7.1.2-19."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-674", "description": "CWE-674: Uncontrolled Recursion"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-13T20:59:47.120Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33902", "state": "PUBLISHED", "dateUpdated": "2026-04-14T15:51:26.551Z", "dateReserved": "2026-03-24T15:41:47.490Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-13T20:59:47.120Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:imagemagick:imagemagick:*:*:*:*:*:*:*:*", "matchCriteriaId": "FEBAB6BF-AFEC-4D29-95E8-88C4585C9896", "versionEndExcluding": "6.9.13-44", "vulnerable": true}, {"criteria": "cpe:2.3:a:imagemagick:imagemagick:*:*:*:*:*:*:*:*", "matchCriteriaId": "80D20334-B25F-479D-A411-DBD1364D303C", "versionEndExcluding": "7.1.2-19", "versionStartIncluding": "7.0.0-0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "ImageMagick is free and open-source software used for editing and manipulating digital images. In versions below both 7.1.2-19 and 6.9.13-44, a stack overflow vulnerability in ImageMagick's FX expression parser allows an attacker to crash the process by providing a deeply nested expression. This issue has been fixed in versions 6.9.13-44 and 7.1.2-19."}], "id": "CVE-2026-33902", "lastModified": "2026-04-17T20:46:33.620", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-13T22:16:28.680", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/ImageMagick/ImageMagick/commit/d3c0a37485314c5ccef72efb18f3847cd53868ba"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-f4qm-vj5j-9xpw"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/dlemstra/Magick.NET/releases/tag/14.12.0"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-674"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "ImageMagick: ImageMagick: Denial of Service via deeply nested expression in FX parser", "id": "2458040", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2458040"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-770", "details": ["A flaw was found in ImageMagick, a software used for editing and manipulating digital images. An attacker can exploit this vulnerability by providing a deeply nested expression to ImageMagick's FX expression parser. This can lead to a stack overflow, causing the process to crash and resulting in a Denial of Service (DoS)."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2026-33902", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "ImageMagick", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "ImageMagick", "product_name": "Red Hat Enterprise Linux 7"}], "public_date": "2026-04-13T20:59:47Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-33902\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-33902\nhttps://github.com/ImageMagick/ImageMagick/commit/d3c0a37485314c5ccef72efb18f3847cd53868ba\nhttps://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-f4qm-vj5j-9xpw\nhttps://github.com/dlemstra/Magick.NET/releases/tag/14.12.0"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,7.1.2-19)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,6.9.13-44)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "ImageMagick", "source": "cna", "vendor": "ImageMagick"}, "product": "imagemagick", "vendor": "imagemagick"}], "analysis": {"en": {"generated_at": "2026-04-14T01:36:17.553221+00:00", "value": {"mitigation_remediation": ["Upgrade ImageMagick to version 7.1.2\u201119 or later, or 6.9.13\u201144 or later."], "summary": {"action": "Apply Patch", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "ImageMagick, the image processing library. All releases earlier than 7.1.2\u201119 and 6.9.13\u201144 are affected.", "description_and_impact": "The vulnerability originates from the FX expression parser in ImageMagick, which fails to enforce a recursion depth limit and therefore overflows the processor stack when handling a deeply nested expression. This results in the ImageMagick process terminating unexpectedly, causing a denial of service. The weakness is classified as a stack overflow and resource exhaustion, matching CWE\u2011674 and CWE\u2011770.", "risk_and_exploitability": "The CVSS score of 5.5 indicates medium severity. No EPSS score is available and the vulnerability is not listed in CISA\u2019s KEV catalog. An attacker must provide a malicious FX expression to a running ImageMagick instance; the resulting crash can interrupt services that rely on the library. The risk is elevated in environments where ImageMagick processes untrusted input, such as web servers or document conversion services."}}}}, "created": "2026-04-14T16:18:06.672655+00:00", "updated": "2026-04-14T16:33:13.464694+00:00", "vendors": ["imagemagick", "imagemagick$PRODUCT$imagemagick"]}