Fluid Attacks Database

Description

ImageMagick has a Stack Overflow in DestroyXMLTree() Magick frees the memory of the XML tree via the DestroyXMLTree function; however, this process is executed recursively with no depth limit imposed. When magick processes an XML file with deeply nested structures, it will exhaust the stack memory, resulting in a Denial of Service (DoS) attack.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
nuget	magick.net-q16-openmp-x64	>=0 <14.12.0	14.12.0
debian 13	imagemagick	=8:7.1.1.43+dfsg1-1 \|\| =8:7.1.1.43+dfsg1-1+deb13u1 \|\| =8:7.1.1.43+dfsg1-1+deb13u2 \|\| =8:7.1.1.43+dfsg1-1+deb13u3 \|\| =8:7.1.1.43+dfsg1-1+deb13u4 \|\| =8:7.1.1.43+dfsg1-1+deb13u5 \|\| =8:7.1.1.43+dfsg1-1+deb13u6 \|\| =8:7.1.1.43+dfsg1-1+deb13u7 \|\| >=0 <8:7.1.1.43+dfsg1-1+deb13u8	8:7.1.1.43+dfsg1-1+deb13u8
debian 12	imagemagick	=8:6.9.11.60+dfsg-1.6 \|\| =8:6.9.11.60+dfsg-1.6+deb12u1 \|\| =8:6.9.11.60+dfsg-1.6+deb12u2 \|\| =8:6.9.11.60+dfsg-1.6+deb12u3 \|\| =8:6.9.11.60+dfsg-1.6+deb12u4 \|\| =8:6.9.11.60+dfsg-1.6+deb12u5 \|\| =8:6.9.11.60+dfsg-1.6+deb12u6 \|\| =8:6.9.11.60+dfsg-1.6+deb12u7 \|\| =8:6.9.11.60+dfsg-1.6+deb12u8 \|\| >=0 <8:6.9.11.60+dfsg-1.6+deb12u9	8:6.9.11.60+dfsg-1.6+deb12u9
nuget	magick.net-q16-anycpu	>=0 <14.12.0	14.12.0
nuget	magick.net-q16-hdri-anycpu	>=0 <14.12.0	14.12.0
nuget	magick.net-q16-hdri-openmp-arm64	>=0 <14.12.0	14.12.0
nuget	magick.net-q16-hdri-arm64	>=0 <14.12.0	14.12.0
nuget	magick.net-q16-hdri-x64	>=0 <14.12.0	14.12.0
nuget	magick.net-q16-hdri-x86	>=0 <14.12.0	14.12.0
nuget	magick.net-q16-openmp-arm64	>=0 <14.12.0	14.12.0

1-10 of 23

Aliases

1. CVE-2026-339082. NVD-2026-339083. OSV-2026-339084. OSV-DEBIAN-2026-339085. GHSA-fwvm-ggf6-2p4x6. GCVE-2026-339087. SECURITY-TRACKER-CVE-2026-33908

References

1. https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-fwvm-ggf6-2p4x2. https://github.com/ImageMagick/ImageMagick/commit/ccdc01180276aa2cb3d4a32a611aa4f417061cd83. https://github.com/ImageMagick/ImageMagick/releases/tag/7.1.2-194. https://github.com/dlemstra/Magick.NET/releases/tag/14.12.0