{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33535", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-20T18:05:11.831Z", "datePublished": "2026-03-26T19:52:30.452Z", "dateUpdated": "2026-03-26T19:52:30.452Z"}, "containers": {"cna": {"title": "ImageMagick has an Out-of-Bounds write of a zero byte in its X11 display interaction", "problemTypes": [{"descriptions": [{"cweId": "CWE-787", "lang": "en", "description": "CWE-787: Out-of-bounds Write", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 4, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-mw3m-pqr2-qv7c", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-mw3m-pqr2-qv7c"}], "affected": [{"vendor": "ImageMagick", "product": "ImageMagick", "versions": [{"version": "< 7.1.2-18", "status": "affected"}, {"version": "< 6.9.13-43", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-26T19:52:30.452Z"}, "descriptions": [{"lang": "en", "value": "ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to 7.1.2-18 and 6.9.13-43, an out-of-bounds write of a zero byte exists in the X11 `display` interaction path that could lead to a crash. Versions 7.1.2-18 and 6.9.13-43 patch the issue."}], "source": {"advisory": "GHSA-mw3m-pqr2-qv7c", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to 7.1.2-18 and 6.9.13-43, an out-of-bounds write of a zero byte exists in the X11 `display` interaction path that could lead to a crash. Versions 7.1.2-18 and 6.9.13-43 patch the issue."}], "id": "CVE-2026-33535", "lastModified": "2026-03-26T20:16:15.723", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 4.0, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 2.5, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-26T20:16:15.723", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-mw3m-pqr2-qv7c"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-787"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "ImageMagick: ImageMagick: Denial of Service via out-of-bounds write in X11 display interaction path", "id": "2451855", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451855"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.0", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "status": "draft"}, "cwe": "CWE-787", "details": ["A flaw was found in ImageMagick, a free and open-source software used for editing and manipulating digital images. A local attacker could exploit an out-of-bounds write of a zero byte in the X11 display interaction path. This vulnerability, a type of memory corruption, could lead to a crash of the application, resulting in a Denial of Service (DoS)."], "mitigation": {"lang": "en:us", "value": "For systems where ImageMagick is not required, especially in server environments without a graphical interface, consider removing the `ImageMagick` package to eliminate the attack surface. This action may impact applications that rely on ImageMagick for image processing."}, "name": "CVE-2026-33535", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "ImageMagick", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Fix deferred", "package_name": "ImageMagick", "product_name": "Red Hat Enterprise Linux 7"}], "public_date": "2026-03-26T19:52:30Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-33535\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-33535\nhttps://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-mw3m-pqr2-qv7c"], "statement": "Low impact. This flaw in ImageMagick's X11 display interaction path requires local access to trigger an out-of-bounds write, leading to a denial of service. Red Hat Enterprise Linux systems are affected if ImageMagick is installed and used in an X11 environment.", "threat_severity": "Low"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,7.1.2-18)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,6.9.13-43)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "ImageMagick", "source": "cna", "vendor": "ImageMagick"}, "product": "imagemagick", "vendor": "imagemagick"}], "analysis": {"en": {"generated_at": "2026-03-26T21:22:45.102957+00:00", "value": {"mitigation_remediation": ["Apply the ImageMagick patch to version 7.1.2\u201118 or newer, or 6.9.13\u201143 or newer, to resolve the out\u2011of\u2011bounds write.", "Verify the installed ImageMagick version with the vendor's release notes or checksum to confirm the patch has been applied.", "If an update is not immediately feasible, isolate or block the X11 display interaction for untrusted image inputs to prevent crashes.", "Keep the software regularly updated by monitoring the ImageMagick security advisories for future patches or additional fixes."], "summary": {"action": "Immediate Patch", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "Any installation of ImageMagick using a version earlier than 7.1.2\u201118 or 6.9.13\u201143 is potentially vulnerable. The vulnerability affects the ImageMagick product across all platforms that expose the X11 display interface.", "description_and_impact": "ImageMagick contains an out\u2011of\u2011bounds write of a zero byte in the X11 display interaction path. The flaw can cause the application to crash when processing a crafted image. The result is a denial of service, as the affected process terminates unexpectedly, without offering elevation of privilege, data corruption, or data disclosure.", "risk_and_exploitability": "The CVSS score of 4 indicates a moderate severity, and the EPSS score is not available, suggesting there is no publicly known exploit yet. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is the ability to submit a malicious image to the X11 display path, which may be local or remote depending on the context; however, the input does not explicitly state the exact vector, so this is inferred from the description of the affected interaction."}}}}, "created": "2026-03-27T08:32:21.893021+00:00", "updated": "2026-03-27T09:25:18.639678+00:00", "vendors": ["imagemagick", "imagemagick$PRODUCT$imagemagick"]}