Description
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, when a PCD file does not contain a valid Sync marker, the DecodeImage() function becomes trapped in an infinite loop while searching for the Sync marker, causing the program to become unresponsive and continuously consume CPU resources, ultimately leading to system resource exhaustion and denial of service. Versions 7.1.2-15 and 6.9.13-40 contain a patch.
Published: 2026-02-24
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Patch
AI Analysis

Impact

ImageMagick’s DecodeImage() function enters an infinite loop when a PCD file lacks a valid Sync marker. The loop consumes CPU, causes the program to hang, and eventually exhausts system resources, disabling the image processing service. This flaw is a classic denial‑of‑service vulnerability stemming from insufficient input validation (CWE‑400) and an unbounded loop (CWE‑835).

Affected Systems

The vulnerability affects ImageMagick prior to releases 7.1.2‑15 and 6.9.13‑40. Versions following those releases include the patch. The CPE list also lists magick.net, indicating that the .NET binding may use the same decoding code; however, the CVE description does not explicitly mention Magick.NET versions, so its impact remains inferred.

Risk and Exploitability

With a CVSS score of 7.5, the flaw represents high impact. The EPSS score is reported below 1 %, suggesting a low but non‑zero likelihood of observed exploitation. The vulnerability is not listed in the CISA KEV catalog. Exploitation would require feeding a crafted PCD file to an application that invokes ImageMagick’s DecodeImage routine, which could be done remotely if the application accepts user‑supplied image files. Because the flaw causes resource exhaustion rather than privilege escalation, an attacker would need only the ability to input the malicious file.

Generated by OpenCVE AI on April 18, 2026 at 11:01 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to ImageMagick 7.1.2‑15 or newer, or 6.9.13‑40 or newer; apply the corresponding patch for any bundled versions.
  • If the application does not need PCD support, disable or remove PCD file handling to prevent the flaw from being triggered.
  • Deploy process resource limits (CPU or execution time quotas) or run ImageMagick workloads in isolated containers to contain the impact of a potential denial‑of‑service attack.

Generated by OpenCVE AI on April 18, 2026 at 11:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4497-1 imagemagick security update
Debian DSA Debian DSA DSA-6158-1 imagemagick security update
Debian DSA Debian DSA DSA-6159-1 imagemagick security update
Github GHSA Github GHSA GHSA-pqgj-2p96-rx85 ImageMagick: Infinite loop vulnerability when parsing a PCD file
History

Fri, 27 Feb 2026 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Dlemstra
Dlemstra magick.net
CPEs cpe:2.3:a:dlemstra:magick.net:*:*:*:*:*:*:*:*
cpe:2.3:a:imagemagick:imagemagick:*:*:*:*:*:*:*:*
Vendors & Products Dlemstra
Dlemstra magick.net

Thu, 26 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 24 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-835
References
Metrics threat_severity

None

 threat_severity

Moderate

Tue, 24 Feb 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Imagemagick
Imagemagick imagemagick
Vendors & Products Imagemagick
Imagemagick imagemagick

Tue, 24 Feb 2026 00:45:00 +0000

Type Values Removed Values Added
Description ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, when a PCD file does not contain a valid Sync marker, the DecodeImage() function becomes trapped in an infinite loop while searching for the Sync marker, causing the program to become unresponsive and continuously consume CPU resources, ultimately leading to system resource exhaustion and denial of service. Versions 7.1.2-15 and 6.9.13-40 contain a patch.
Title ImageMagick: Infinite loop vulnerability when parsing a PCD file
Weaknesses CWE-400
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Dlemstra Magick.net
Imagemagick Imagemagick
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-26T14:49:07.397Z

Reserved: 2026-01-23T00:38:20.548Z

Link: CVE-2026-24485

cve-icon Vulnrichment

Updated: 2026-02-26T14:48:59.508Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-24T01:16:12.757

Modified: 2026-02-27T14:34:13.443

Link: CVE-2026-24485

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-02-24T00:34:04Z

Links: CVE-2026-24485 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T11:15:35Z

Weaknesses