Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.5
ImageMagick allows hackers to execute malicious code by sending a special image
CVE-2026-33901
GHSA-x9h5-r9v2-vcww
Summary
Some versions of ImageMagick can be tricked into running unwanted code if it's given a specially crafted image. This could allow hackers to take control of your system. Update to a fixed version to prevent this.
What to do
- Update magick.net-q16-anycpu to version 14.12.0.
- Update magick.net-q16-hdri-anycpu to version 14.12.0.
- Update magick.net-q16-hdri-openmp-arm64 to version 14.12.0.
- Update magick.net-q16-hdri-arm64 to version 14.12.0.
- Update magick.net-q16-hdri-x64 to version 14.12.0.
- Update magick.net-q16-hdri-x86 to version 14.12.0.
- Update magick.net-q16-openmp-arm64 to version 14.12.0.
- Update magick.net-q16-openmp-x64 to version 14.12.0.
- Update magick.net-q16-arm64 to version 14.12.0.
- Update magick.net-q16-x64 to version 14.12.0.
- Update magick.net-q16-x86 to version 14.12.0.
- Update magick.net-q8-anycpu to version 14.12.0.
- Update magick.net-q8-openmp-arm64 to version 14.12.0.
- Update magick.net-q8-openmp-x64 to version 14.12.0.
- Update magick.net-q8-arm64 to version 14.12.0.
- Update magick.net-q8-x64 to version 14.12.0.
- Update magick.net-q8-x86 to version 14.12.0.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | magick.net-q16-anycpu | <= 14.12.0 | 14.12.0 |
| – | magick.net-q16-hdri-anycpu | <= 14.12.0 | 14.12.0 |
| – | magick.net-q16-hdri-openmp-arm64 | <= 14.12.0 | 14.12.0 |
| – | magick.net-q16-hdri-arm64 | <= 14.12.0 | 14.12.0 |
| – | magick.net-q16-hdri-x64 | <= 14.12.0 | 14.12.0 |
| – | magick.net-q16-hdri-x86 | <= 14.12.0 | 14.12.0 |
| – | magick.net-q16-openmp-arm64 | <= 14.12.0 | 14.12.0 |
| – | magick.net-q16-openmp-x64 | <= 14.12.0 | 14.12.0 |
| – | magick.net-q16-arm64 | <= 14.12.0 | 14.12.0 |
| – | magick.net-q16-x64 | <= 14.12.0 | 14.12.0 |
| – | magick.net-q16-x86 | <= 14.12.0 | 14.12.0 |
| – | magick.net-q8-anycpu | <= 14.12.0 | 14.12.0 |
| – | magick.net-q8-openmp-arm64 | <= 14.12.0 | 14.12.0 |
| – | magick.net-q8-openmp-x64 | <= 14.12.0 | 14.12.0 |
| – | magick.net-q8-arm64 | <= 14.12.0 | 14.12.0 |
| – | magick.net-q8-x64 | <= 14.12.0 | 14.12.0 |
| – | magick.net-q8-x86 | <= 14.12.0 | 14.12.0 |
Original title
ImageMagick has a heap Buffer Overflow in ImageMagick MVG decoder
Original description
A heap buffer overflow occurs in the MVG decoder that could result in an out of bounds write when processing a crafted image.
nvd CVSS3.1
7.5
Vulnerability type
CWE-122
Heap-based Buffer Overflow
CWE-787
Out-of-bounds Write
- https://github.com/ImageMagick/ImageMagick/commit/4c72003e9e54a4ebaa938d239e75f5...
- https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-x9h5-r9v2-vc...
- https://github.com/dlemstra/Magick.NET/releases/tag/14.12.0
- https://nvd.nist.gov/vuln/detail/CVE-2026-33901
- https://github.com/ImageMagick/ImageMagick/releases/tag/7.1.2-19
- https://github.com/advisories/GHSA-x9h5-r9v2-vcww
Published: 14 Apr 2026 · Updated: 14 Apr 2026 · First seen: 13 Apr 2026