CVE-2026-33902 Overview
A stack overflow vulnerability exists in ImageMagick's FX expression parser that allows an attacker to crash the image processing application by providing a deeply nested expression. ImageMagick is a widely-used free and open-source software suite for editing and manipulating digital images, making this vulnerability potentially impactful across numerous applications and web services that rely on ImageMagick for image processing.
Critical Impact
This vulnerability enables denial of service attacks through application crashes when processing maliciously crafted FX expressions with excessive nesting depth.
Affected Products
- ImageMagick versions below 7.1.2-19
- ImageMagick versions below 6.9.13-44
- Magick.NET versions prior to 14.12.0
Discovery Timeline
- 2026-04-13 - CVE CVE-2026-33902 published to NVD
- 2026-04-13 - Last updated in NVD database
Technical Details for CVE-2026-33902
Vulnerability Analysis
This vulnerability is classified as CWE-674 (Uncontrolled Recursion), which occurs when the FX expression parser fails to properly limit the depth of nested expressions during parsing operations. The FX expression language in ImageMagick allows complex image manipulation operations through mathematical and logical expressions. When an attacker crafts an expression with excessive nesting levels, the recursive parsing function exhausts the available stack memory, resulting in a stack overflow condition.
The local attack vector requires user interaction, meaning an attacker would need to convince a user to process a malicious image file or FX expression, or exploit an automated image processing pipeline that accepts untrusted input. The impact is limited to availability, as no confidentiality or integrity breach occurs—the vulnerability results in application termination rather than code execution.
Root Cause
The root cause stems from uncontrolled recursion in the FX expression parser component. The parser lacks adequate depth checking when processing nested parenthetical expressions or function calls, allowing attackers to trigger unbounded recursive calls that exceed stack memory limits. This is a common pattern in expression parsers that rely on recursive descent parsing without implementing explicit depth limits.
Attack Vector
An attacker can exploit this vulnerability by crafting a malicious FX expression containing deeply nested constructs. The attack requires local access to the system and user interaction—such as opening a specially crafted image file or processing an FX expression through the convert command or API. Automated image processing pipelines that accept user-uploaded images with FX expressions are particularly vulnerable.
The deeply nested expression would trigger recursive parsing calls that consume stack space until the available stack is exhausted, causing the ImageMagick process to crash. This can be leveraged for denial of service attacks against services that process user-supplied images.
Detection Methods for CVE-2026-33902
Indicators of Compromise
- Unexpected ImageMagick process crashes or segmentation faults during image processing operations
- Log entries indicating stack overflow or stack exhaustion errors from ImageMagick processes
- Unusual image processing requests containing excessively long or complex FX expressions
- Application monitoring alerts for repeated process terminations in image processing services
Detection Strategies
- Monitor system logs for ImageMagick process crashes with stack-related error messages
- Implement input validation to detect and reject FX expressions exceeding reasonable nesting depth thresholds
- Deploy application-level monitoring to track abnormal termination patterns in image processing workflows
- Review access logs for submissions containing unusually large or complex image processing parameters
Monitoring Recommendations
- Configure crash dump collection for ImageMagick processes to enable post-incident analysis
- Implement rate limiting on image processing endpoints to mitigate denial of service impact
- Monitor resource utilization patterns for image processing services to detect anomalous behavior
- Set up alerting for repeated process failures in production image processing infrastructure
How to Mitigate CVE-2026-33902
Immediate Actions Required
- Upgrade ImageMagick to version 7.1.2-19 or later for the 7.x branch
- Upgrade ImageMagick to version 6.9.13-44 or later for the 6.x branch
- Update Magick.NET to version 14.12.0 or later if using the .NET wrapper
- Review and restrict FX expression capabilities in production environments where possible
Patch Information
Security patches addressing this stack overflow vulnerability are available through the official ImageMagick repository. The fix is implemented in commit d3c0a37485314c5ccef72efb18f3847cd53868ba. For detailed security information, refer to the GitHub Security Advisory. Users of Magick.NET should update to version 14.12.0 which incorporates the patched ImageMagick libraries.
Workarounds
- Disable or restrict FX expression parsing functionality if not required for your use case
- Implement pre-processing validation to reject expressions with excessive nesting depth
- Run ImageMagick processes with resource limits (e.g., using ulimit -s to set stack size limits) to prevent uncontrolled crashes
- Isolate image processing operations in sandboxed environments to limit impact of process crashes
# Configuration example - Set resource limits for ImageMagick processes
# Add to ImageMagick policy.xml to restrict processing capabilities
# Location: /etc/ImageMagick-7/policy.xml or /etc/ImageMagick-6/policy.xml
# Limit memory and processing resources
# <policy domain="resource" name="memory" value="256MiB"/>
# <policy domain="resource" name="recursion" value="50"/>
# Run ImageMagick with stack size limits
ulimit -s 8192
convert input.png -fx 'expression' output.png
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
