DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-33900: CVE-2026-33900: Heap-Based Buffer Overflow via Integer Truncation in ImageMagick VIFF Encoder

#security #cve #cybersecurity

CVE-2026-33900: Heap-Based Buffer Overflow via Integer Truncation in ImageMagick VIFF Encoder

Vulnerability ID: CVE-2026-33900
CVSS Score: 5.9
Published: 2026-04-13

ImageMagick and Magick.NET contain a heap-based buffer overflow vulnerability in the VIFF encoder due to an integer truncation issue on 32-bit architectures. Processing maliciously crafted images can result in an undersized memory allocation, leading to out-of-bounds writes and potential system compromise.

TL;DR

A heap-based buffer overflow exists in ImageMagick's VIFF encoder on 32-bit builds due to CWE-190 (Integer Truncation). Crafting an image with dimensions exceeding 32-bit size boundaries causes undersized memory allocations and subsequent heap corruption.

Technical Details

  • CWE ID: CWE-190
  • Attack Vector: Network
  • CVSS Score: 5.9 (Medium)
  • Impact: Denial of Service (DoS), Potential Remote Code Execution
  • Exploit Status: None (No public PoC)
  • KEV Status: Not Listed

Affected Systems

  • ImageMagick (32-bit builds)
  • Magick.NET (x86 and AnyCPU NuGet packages)
  • ImageMagick: < 6.9.13-44 (Fixed in: 6.9.13-44)
  • ImageMagick: < 7.1.2-19 (Fixed in: 7.1.2-19)
  • Magick.NET: < 14.12.0 (Fixed in: 14.12.0)

Code Analysis

Commit: d27b840

Fix integer truncation vulnerability in viff encoder memory allocation

+    if (packets != (MagickSizeType) ((size_t) packets))
+      ThrowWriterException(ResourceLimitError,"MemoryAllocationFailed");
Enter fullscreen mode Exit fullscreen mode

Mitigation Strategies

  • Upgrade ImageMagick and Magick.NET to the latest patched versions.
  • Enforce maximum image dimensions and memory limits via ImageMagick's policy.xml.
  • Migrate vulnerable workloads from 32-bit to 64-bit architectures to naturally eliminate 32-bit truncation boundaries.

Remediation Steps:

  1. Identify all deployment instances of ImageMagick or Magick.NET.
  2. Determine the architecture target (32-bit vs 64-bit) of the compiled libraries.
  3. Deploy the updated binaries (ImageMagick 7.1.2-19 / 6.9.13-44) or NuGet packages (Magick.NET 14.12.0).
  4. Update policy.xml to restrict <policy domain="resource" name="width" value="16KP"/> and height equivalents.
  5. Restart dependent services to load the updated libraries.

References

Read the full report for CVE-2026-33900 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)