CVE-2026-33902

ImageMagick: Stack Overflow via Recursive FX Expression Parsing

Severity Score

5.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

ImageMagick is free and open-source software used for editing and manipulating digital images. In versions below both 7.1.2-19 and 6.9.13-44, a stack overflow vulnerability in ImageMagick's FX expression parser allows an attacker to crash the process by providing a deeply nested expression. This issue has been fixed in versions 6.9.13-44 and 7.1.2-19.

*Credits: N/A

CVSS Scores

GitHubv3.1 5.5

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2026-03-24 CVE Reserved
2026-04-13 CVE Published
2026-04-14 CVE Updated
2026-05-15 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-674: Uncontrolled Recursion

CAPEC

References (3)

URL	Tag	Source
https://github.com/ImageMagick/ImageMagick/commit/d3c0a37485314c5ccef72efb18f3847cd53868ba	X_refsource_misc
https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-f4qm-vj5j-9xpw	X_refsource_confirm
https://github.com/dlemstra/Magick.NET/releases/tag/14.12.0	X_refsource_misc

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
ImageMagick Search vendor "ImageMagick"		ImageMagick Search vendor "ImageMagick" for product "ImageMagick"				< 7.1.2 Search vendor "ImageMagick" for product "ImageMagick" and version " < 7.1.2"		en		Affected
ImageMagick Search vendor "ImageMagick"		ImageMagick Search vendor "ImageMagick" for product "ImageMagick"				< 6.9.13 Search vendor "ImageMagick" for product "ImageMagick" and version " < 6.9.13"		en		Affected