DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-33899: CVE-2026-33899: Heap-Based Buffer Overflow via Integer Underflow in ImageMagick XML Parser

#security #cve #cybersecurity

CVE-2026-33899: Heap-Based Buffer Overflow via Integer Underflow in ImageMagick XML Parser

Vulnerability ID: CVE-2026-33899
CVSS Score: 5.3
Published: 2026-04-13

ImageMagick versions prior to 7.1.2-19 and 6.9.13-44 contain a heap-based buffer overflow vulnerability in the XML parsing engine. The flaw arises from an integer underflow during UTF-16 to UTF-8 character conversion in the NewXMLTree function, leading to a single null byte being written out of bounds. This memory corruption can compromise heap metadata, reliably causing a denial of service and introducing the potential for remote code execution under specific heap manipulation conditions.

TL;DR

An integer underflow in ImageMagick's XML parser allows an attacker to write an out-of-bounds null byte, corrupting heap metadata. This primitive causes application crashes and presents a theoretical path to remote code execution.

Technical Details

  • CWE ID: CWE-122, CWE-191
  • Attack Vector: Network
  • CVSS Score: 5.3 (Medium)
  • Impact: Denial of Service / Potential RCE
  • Exploit Status: Unexploited
  • KEV Status: Not Listed

Affected Systems

  • ImageMagick < 7.1.2-19
  • ImageMagick < 6.9.13-44
  • Magick.NET < 14.12.0
  • ImageMagick: < 7.1.2-19 (Fixed in: 7.1.2-19)
  • ImageMagick: < 6.9.13-44 (Fixed in: 6.9.13-44)
  • Magick.NET: < 14.12.0 (Fixed in: 14.12.0)

Code Analysis

Commit: ae679e2

Fix integer underflow in NewXMLTree during UTF16 to UTF8 conversion

--- a/MagickCore/xml-tree.c
+++ b/MagickCore/xml-tree.c
@@ -1919,8 +1919,8 @@ MagickExport XMLTreeInfo *NewXMLTree(const char *xml,ExceptionInfo *exception)
         "ParseError","UTF16 to UTF8 failed");
       return((XMLTreeInfo *) NULL);
     }
-  terminal=utf8[length-1];
-  utf8[length-1]='\0';
+  terminal=utf8[MagickMax(length-1,0)];
+  utf8[MagickMax(length-1,0)]='\0';
   p=utf8;
   while ((*p != '\0') && (*p != '<'))
     p++;
Enter fullscreen mode Exit fullscreen mode

Mitigation Strategies

  • Upgrade ImageMagick to version 7.1.2-19 or 6.9.13-44
  • Upgrade Magick.NET dependency to version 14.12.0
  • Disable XML and SVG processing via ImageMagick's policy.xml configuration
  • Deploy WAF rules to inspect image uploads for malicious XML payloads

Remediation Steps:

  1. Inventory all applications, containers, and services utilizing ImageMagick or associated wrappers.
  2. Update the operating system packages or compile ImageMagick from source to version 7.1.2-19 or 6.9.13-44.
  3. Update .NET application dependencies relying on Magick.NET to version 14.12.0 via NuGet.
  4. Restart affected application processes (e.g., PHP-FPM, Sidekiq, IIS application pools) to load the updated libraries.
  5. Validate the mitigation by restricting format delegates in /etc/ImageMagick-7/policy.xml if patching is delayed.

References

Read the full report for CVE-2026-33899 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)