CVE-2026-33905 Overview
ImageMagick, a widely-used open-source software suite for editing and manipulating digital images, contains an out-of-bounds read vulnerability in the -sample operation. When a specific offset is configured through the sample:offset define, the application fails to properly validate memory boundaries, resulting in an out-of-bounds read condition. This vulnerability affects ImageMagick versions prior to 7.1.2-19 and 6.9.13-44.
Critical Impact
Exploitation of this vulnerability can lead to denial of service conditions through application crashes when processing maliciously crafted images with specific offset parameters.
Affected Products
- ImageMagick versions below 7.1.2-19 (version 7.x branch)
- ImageMagick versions below 6.9.13-44 (version 6.x branch)
- Magick.NET versions prior to 14.12.0
Discovery Timeline
- 2026-04-13 - CVE-2026-33905 published to NVD
- 2026-04-13 - Last updated in NVD database
Technical Details for CVE-2026-33905
Vulnerability Analysis
This vulnerability is classified as CWE-125 (Out-of-Bounds Read), a memory safety issue that occurs when the software reads data past the end or before the beginning of the intended buffer. In the context of ImageMagick's -sample operation, the vulnerability manifests when processing images with a maliciously crafted sample:offset define value.
The flaw exists in the MagickCore/resize.c file, specifically in how the sample operation handles offset calculations. When a user or automated process supplies a crafted offset value, the application does not properly validate that the resulting memory access stays within allocated buffer boundaries.
An attacker who can influence image processing parameters could trigger this condition to cause application crashes, potentially leading to denial of service. While the vulnerability requires local access and user interaction to exploit, it poses a significant risk in environments where ImageMagick processes untrusted input files.
Root Cause
The root cause of this vulnerability lies in insufficient boundary validation within the sample offset handling code. The -sample operation uses offset values to determine how pixels are read during image resampling. Prior to the fix, the code did not properly validate that the calculated offset positions remained within the bounds of the source image buffer, allowing reads beyond allocated memory regions.
Attack Vector
The attack vector for CVE-2026-33905 requires local access to a system running a vulnerable version of ImageMagick. An attacker would need to craft a malicious image file or command-line parameters that specify an out-of-bounds sample:offset value. When the victim processes this input using the -sample operation, the out-of-bounds read is triggered.
Exploitation scenarios include:
- Processing images through command-line tools like convert or mogrify
- Web applications that use ImageMagick for image processing
- Automated image processing pipelines that accept user-submitted files
// Security patch excerpt from MagickCore/resize.c
// Source: https://github.com/ImageMagick/ImageMagick/commit/cca607366fb38c2dde019a9088b8415ffba3a835
sample_offset;
ssize_t
- j,
- *x_offset,
y;
/*
Source: GitHub Commit cca607366fb38c2dde019a9088b8415ffba3a835
Detection Methods for CVE-2026-33905
Indicators of Compromise
- Unexpected ImageMagick process crashes during image processing operations
- Segmentation fault errors in system logs related to ImageMagick or convert processes
- Application errors referencing MagickCore/resize.c or sample operations
- Abnormal memory access patterns in ImageMagick-related processes
Detection Strategies
- Monitor system logs for ImageMagick crash events and segmentation faults
- Implement file integrity monitoring on ImageMagick binaries to detect unauthorized modifications
- Deploy endpoint detection solutions capable of identifying memory access violations
- Review web application logs for unusual image processing requests containing sample:offset parameters
Monitoring Recommendations
- Enable verbose logging for ImageMagick operations in production environments
- Configure crash dump collection for forensic analysis of exploitation attempts
- Implement rate limiting on image processing endpoints to mitigate DoS scenarios
- Set up alerting for repeated ImageMagick process failures within short time windows
How to Mitigate CVE-2026-33905
Immediate Actions Required
- Update ImageMagick to version 7.1.2-19 or later for 7.x installations
- Update ImageMagick to version 6.9.13-44 or later for 6.x installations
- Update Magick.NET to version 14.12.0 or later if using the .NET wrapper
- Review and restrict ImageMagick policy configurations to limit exposed operations
Patch Information
The ImageMagick development team has addressed this vulnerability in the following releases:
| Branch | Fixed Version | Reference |
|---|---|---|
| 7.x | 7.1.2-19 | Release Tag |
| 6.x | 6.9.13-44 | GitHub Security Advisory |
| Magick.NET | 14.12.0 | Magick.NET Release |
The fix modifies the sample offset handling code in MagickCore/resize.c to properly validate memory boundaries before performing read operations.
Workarounds
- Disable the -sample operation by configuring ImageMagick's policy.xml to deny sample operations
- Implement input validation to reject images or commands containing sample:offset defines
- Run ImageMagick processes in sandboxed environments to limit the impact of crashes
- Use application-level filtering to sanitize user-controlled offset parameters before processing
# Configuration example - Add to /etc/ImageMagick-7/policy.xml to restrict sample operation
# This limits the potential attack surface while awaiting patching
<policymap>
<!-- Disable sample operation to mitigate CVE-2026-33905 -->
<policy domain="delegate" rights="none" pattern="*" />
<policy domain="filter" rights="none" pattern="sample" />
</policymap>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
