CVE-2026-33908: ImageMagick has a Stack Overflow in DestroyXMLTree()
(updated )
Magick frees the memory of the XML tree via the DestroyXMLTree function; however, this process is executed recursively with no depth limit imposed. When magick processes an XML file with deeply nested structures, it will exhaust the stack memory, resulting in a Denial of Service (DoS) attack.
References
- github.com/ImageMagick/ImageMagick
- github.com/ImageMagick/ImageMagick/commit/ccdc01180276aa2cb3d4a32a611aa4f417061cd8
- github.com/ImageMagick/ImageMagick/releases/tag/7.1.2-19
- github.com/ImageMagick/ImageMagick/security/advisories/GHSA-fwvm-ggf6-2p4x
- github.com/advisories/GHSA-fwvm-ggf6-2p4x
- github.com/dlemstra/Magick.NET/releases/tag/14.12.0
- nvd.nist.gov/vuln/detail/CVE-2026-33908
Code Behaviors & Features
Detect and mitigate CVE-2026-33908 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →