ImageMagick Heap Overflow Vulnerability Exposed

The National Vulnerability Database (NVD) has highlighted a critical heap buffer overflow vulnerability affecting ImageMagick, a widely used open-source image manipulation tool. The flaw, tracked as CVE-2026-33901, resides within the MVG decoder. When processing a specially crafted image file, this vulnerability can lead to an out-of-bounds write, potentially allowing attackers to execute arbitrary code or crash the application.

According to NVD, the issue impacts ImageMagick versions prior to 7.1.2-19 and 6.9.13-44. This is a significant concern given ImageMagick’s prevalence in web applications, content management systems, and various automated image processing pipelines. The exploitability is rated as HIGH, with a CVSS score of 7.5, stemming from its network accessibility (AV:N), low attack complexity (AC:L), and lack of privileges or user interaction required (PR:N, UI:N).

Fortunately, ImageMagick developers have addressed this vulnerability. Patches are available in versions 6.9.13-44 and 7.1.2-19. Organizations relying on ImageMagick should prioritize updating to these fixed versions to mitigate the risk of exploitation.