{ "threat_severity" : "Important", "public_date" : "2026-04-13T21:06:42Z", "bugzilla" : { "description" : "ImageMagick: Magick.NET: ImageMagick: Denial of Service via deeply nested XML file processing", "id" : "2458041", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2458041" }, "cvss3" : { "cvss3_base_score" : "7.5", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status" : "draft" }, "cwe" : "CWE-776", "details" : [ "A flaw was found in ImageMagick, a free and open-source software for editing and manipulating digital images. When ImageMagick processes an XML file with deeply nested structures, the `DestroyXMLTree()` function, which frees memory, is executed recursively without a depth limit. This can lead to the exhaustion of stack memory, allowing a remote attacker to cause a Denial of Service (DoS) by providing a specially crafted XML file." ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Out of support scope", "package_name" : "ImageMagick", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Out of support scope", "package_name" : "ImageMagick", "cpe" : "cpe:/o:redhat:enterprise_linux:7" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-33908\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-33908\nhttps://github.com/ImageMagick/ImageMagick/commit/ccdc01180276aa2cb3d4a32a611aa4f417061cd8\nhttps://github.com/ImageMagick/ImageMagick/releases/tag/7.1.2-19\nhttps://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-fwvm-ggf6-2p4x\nhttps://github.com/dlemstra/Magick.NET/releases/tag/14.12.0" ], "name" : "CVE-2026-33908", "mitigation" : { "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", "lang" : "en:us" }, "csaw" : false }