{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33900", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-24T15:41:47.490Z", "datePublished": "2026-04-13T20:50:19.615Z", "dateUpdated": "2026-04-13T20:59:24.130Z"}, "containers": {"cna": {"title": "ImageMagick has a Heap overflow caused by integer overflow/wraparound in viff encoder on 32-bit builds", "problemTypes": [{"descriptions": [{"cweId": "CWE-190", "lang": "en", "description": "CWE-190: Integer Overflow or Wraparound", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-v67w-737x-v2c9", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-v67w-737x-v2c9"}, {"name": "https://github.com/ImageMagick/ImageMagick/commit/d27b840a61b322419a66d0d192ff56d52498148d", "tags": ["x_refsource_MISC"], "url": "https://github.com/ImageMagick/ImageMagick/commit/d27b840a61b322419a66d0d192ff56d52498148d"}, {"name": "https://github.com/ImageMagick/ImageMagick/releases/tag/7.1.2-19", "tags": ["x_refsource_MISC"], "url": "https://github.com/ImageMagick/ImageMagick/releases/tag/7.1.2-19"}, {"name": "https://github.com/dlemstra/Magick.NET/releases/tag/14.12.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/dlemstra/Magick.NET/releases/tag/14.12.0"}], "affected": [{"vendor": "ImageMagick", "product": "ImageMagick", "versions": [{"version": "< 6.9.13-44", "status": "affected"}, {"version": "< 7.1.2-19", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-13T20:59:24.130Z"}, "descriptions": [{"lang": "en", "value": "ImageMagick is free and open-source software used for editing and manipulating digital images. In versions below both 7.1.2-19 and 6.9.13-44, the viff encoder contains an integer truncation/wraparound issue on 32-bit builds that could trigger an out of bounds heap write, potentially causing a crash. This issue has been fixed in versions 6.9.13-44 and 7.1.2-19."}], "source": {"advisory": "GHSA-v67w-737x-v2c9", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "ImageMagick is free and open-source software used for editing and manipulating digital images. In versions below both 7.1.2-19 and 6.9.13-44, the viff encoder contains an integer truncation/wraparound issue on 32-bit builds that could trigger an out of bounds heap write, potentially causing a crash. This issue has been fixed in versions 6.9.13-44 and 7.1.2-19."}], "id": "CVE-2026-33900", "lastModified": "2026-04-13T22:16:28.567", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-13T21:16:25.333", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/ImageMagick/ImageMagick/commit/d27b840a61b322419a66d0d192ff56d52498148d"}, {"source": "security-advisories@github.com", "url": "https://github.com/ImageMagick/ImageMagick/releases/tag/7.1.2-19"}, {"source": "security-advisories@github.com", "url": "https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-v67w-737x-v2c9"}, {"source": "security-advisories@github.com", "url": "https://github.com/dlemstra/Magick.NET/releases/tag/14.12.0"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-190"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{"bugzilla": {"description": "ImageMagick: Magick.NET: ImageMagick: Denial of Service via integer truncation in viff encoder", "id": "2458020", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2458020"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.9", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-190", "details": ["A flaw was found in ImageMagick, a software suite for editing and manipulating digital images. This vulnerability, an integer truncation/wraparound issue within the viff encoder on 32-bit builds, could lead to an out-of-bounds heap write. An attacker could exploit this by providing a specially crafted image file, potentially causing the application to crash and resulting in a Denial of Service (DoS)."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2026-33900", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "ImageMagick", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "ImageMagick", "product_name": "Red Hat Enterprise Linux 7"}], "public_date": "2026-04-13T20:50:19Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-33900\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-33900\nhttps://github.com/ImageMagick/ImageMagick/commit/d27b840a61b322419a66d0d192ff56d52498148d\nhttps://github.com/ImageMagick/ImageMagick/releases/tag/7.1.2-19\nhttps://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-v67w-737x-v2c9\nhttps://github.com/dlemstra/Magick.NET/releases/tag/14.12.0"], "threat_severity": "Moderate"}

{}