Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.5
ImageMagick can run out of memory when processing XML files
CVE-2026-33908
GHSA-fwvm-ggf6-2p4x
Summary
ImageMagick's software may crash or freeze when editing very complex XML files, which can cause disruptions to your image editing workflow. This issue has been fixed in newer versions of the software. To protect yourself, update to the latest version of ImageMagick.
What to do
- Update magick.net-q16-anycpu to version 14.12.0.
- Update magick.net-q16-hdri-anycpu to version 14.12.0.
- Update magick.net-q16-hdri-openmp-arm64 to version 14.12.0.
- Update magick.net-q16-hdri-arm64 to version 14.12.0.
- Update magick.net-q16-hdri-x64 to version 14.12.0.
- Update magick.net-q16-hdri-x86 to version 14.12.0.
- Update magick.net-q16-openmp-arm64 to version 14.12.0.
- Update magick.net-q16-openmp-x64 to version 14.12.0.
- Update magick.net-q16-arm64 to version 14.12.0.
- Update magick.net-q16-x64 to version 14.12.0.
- Update magick.net-q16-x86 to version 14.12.0.
- Update magick.net-q8-anycpu to version 14.12.0.
- Update magick.net-q8-openmp-arm64 to version 14.12.0.
- Update magick.net-q8-openmp-x64 to version 14.12.0.
- Update magick.net-q8-arm64 to version 14.12.0.
- Update magick.net-q8-x64 to version 14.12.0.
- Update magick.net-q8-x86 to version 14.12.0.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | magick.net-q16-anycpu | <= 14.12.0 | 14.12.0 |
| – | magick.net-q16-hdri-anycpu | <= 14.12.0 | 14.12.0 |
| – | magick.net-q16-hdri-openmp-arm64 | <= 14.12.0 | 14.12.0 |
| – | magick.net-q16-hdri-arm64 | <= 14.12.0 | 14.12.0 |
| – | magick.net-q16-hdri-x64 | <= 14.12.0 | 14.12.0 |
| – | magick.net-q16-hdri-x86 | <= 14.12.0 | 14.12.0 |
| – | magick.net-q16-openmp-arm64 | <= 14.12.0 | 14.12.0 |
| – | magick.net-q16-openmp-x64 | <= 14.12.0 | 14.12.0 |
| – | magick.net-q16-arm64 | <= 14.12.0 | 14.12.0 |
| – | magick.net-q16-x64 | <= 14.12.0 | 14.12.0 |
| – | magick.net-q16-x86 | <= 14.12.0 | 14.12.0 |
| – | magick.net-q8-anycpu | <= 14.12.0 | 14.12.0 |
| – | magick.net-q8-openmp-arm64 | <= 14.12.0 | 14.12.0 |
| – | magick.net-q8-openmp-x64 | <= 14.12.0 | 14.12.0 |
| – | magick.net-q8-arm64 | <= 14.12.0 | 14.12.0 |
| – | magick.net-q8-x64 | <= 14.12.0 | 14.12.0 |
| – | magick.net-q8-x86 | <= 14.12.0 | 14.12.0 |
Original title
ImageMagick has a Stack Overflow in DestroyXMLTree()
Original description
Magick frees the memory of the XML tree via the `DestroyXMLTree` function; however, this process is executed recursively with no depth limit imposed. When magick processes an XML file with deeply nested structures, it will exhaust the stack memory, resulting in a Denial of Service (DoS) attack.
nvd CVSS3.1
7.5
Vulnerability type
CWE-674
- https://github.com/ImageMagick/ImageMagick/commit/ccdc01180276aa2cb3d4a32a611aa4...
- https://github.com/ImageMagick/ImageMagick/releases/tag/7.1.2-19
- https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-fwvm-ggf6-2p...
- https://github.com/dlemstra/Magick.NET/releases/tag/14.12.0
- https://github.com/advisories/GHSA-fwvm-ggf6-2p4x
Published: 14 Apr 2026 · Updated: 14 Apr 2026 · First seen: 13 Apr 2026