CVE-2026-26066 - Vulnerability Details

- ImageMagick has infinite loop when writing IPTCTEXT leads to denial of service via crafted profile

Description

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, a crafted profile contain invalid IPTC data may cause an infinite loop when writing it with `IPTCTEXT`. Versions 7.1.2-15 and 6.9.13-40 contain a patch.

Published: 2026-02-24

Score: 6.2 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

ImageMagick, an open‑source image editing tool, contains a flaw that triggers an infinite loop when writing the IPTCTEXT resource for a crafted profile with invalid IPTC data. The loop can consume CPU resources until the process is terminated, leading to a denial of service. The underlying weakness is a use of unvalidated input that causes a runaway loop, reflected in CWE-400 and CWE-835.

Affected Systems

The vulnerability affects all ImageMagick installations that are older than versions 7.1.2‑15 and 6.9.13‑40. Any system running these older releases and processing user‑supplied images that include IPTCTEXT metadata is potentially exposed. The vendor released patches that address the infinite loop in both 7.x and 6.x branches.

Risk and Exploitability

The CVSS score of 6.2 indicates a medium severity risk, while the EPSS score of less than 1% suggests a very low likelihood of exploitation in the wild, and the flaw is not currently listed in CISA's KEV catalog. The likely attack vector is local or remote image processing if the software is exposed to untrusted image uploads; a malicious profile can be crafted to trigger the loop during ordinary processing. Mitigation is straightforward by upgrading to the patched releases; until then, restricting IPTCTEXT usage or sanitizing input can reduce exposure.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

ImageMagick

affected

Version	Status	Constraints
`>= 7.0.0, < 7.1.2-15`	affected	—
`< 6.9.13-40`	affected	—

Configuration 1 [-]

OR	cpe:2.3:a:imagemagick:imagemagick::::::::
	cpe:2.3:a:imagemagick:imagemagick::::::::

No data.

Vendor Product Confidence Versions

Imagemagick

100%

Version	Status	Scheme	Platform
`[7.0.0,7.1.2-15)`	affected	semver	—
`[0,6.9.13-40)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade ImageMagick to version 7.1.2-15 or 6.9.13-40 or later to apply the patch.
If upgrade is not possible, disable IPTCTEXT processing or remove IPTC metadata from images before they reach the application.
Implement input validation to reject or sanitize IPTC data before processing with IPTCTEXT.
Monitor for denial‑of‑service incidents that might indicate exploitation of the infinite loop flaw.

Generated by OpenCVE AI on April 17, 2026 at 15:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DLA	DLA-4497-1	imagemagick security update
Debian DSA	DSA-6158-1	imagemagick security update
Debian DSA	DSA-6159-1	imagemagick security update
Github GHSA	GHSA-v994-63cg-9wj3	ImageMagick has infinite loop when writing IPTCTEXT leads to denial of service via crafted profile

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00019.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-v994-63cg-9wj3
https://nvd.nist.gov/vuln/detail/CVE-2026-26066
https://www.cve.org/CVERecord?id=CVE-2026-26066

History

Tue, 24 Feb 2026 18:45:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:imagemagick:imagemagick::::::::

Tue, 24 Feb 2026 12:15:00 +0000

Type	Values Removed	Values Added
References		https://nvd.nist.gov/vuln/detail/CVE-2026-26066 https://www.cve.org/CVERecord?id=CVE-2026-26066
Metrics	threat_severity `None`	threat_severity `Moderate`

Tue, 24 Feb 2026 10:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Imagemagick Imagemagick imagemagick
Vendors & Products		Imagemagick Imagemagick imagemagick

Tue, 24 Feb 2026 03:00:00 +0000

Type	Values Removed	Values Added
Description		ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, a crafted profile contain invalid IPTC data may cause an infinite loop when writing it with `IPTCTEXT`. Versions 7.1.2-15 and 6.9.13-40 contain a patch.
Title		ImageMagick has infinite loop when writing IPTCTEXT leads to denial of service via crafted profile
Weaknesses		CWE-400 CWE-835
References		https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-v994-63cg-9wj3
Metrics		cvssV3_1 `{'score': 6.2, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}`

Subscriptions

Imagemagick Imagemagick

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-02-24T01:52:30.870Z

Updated: 2026-02-26T21:33:40.181Z

Reserved: 2026-02-10T18:01:31.900Z

Link: CVE-2026-26066

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2026-02-24T03:16:00.937

Modified: 2026-02-24T18:42:32.553

Link: CVE-2026-26066

Redhat

Severity : Moderate

Publid Date: 2026-02-24T01:52:30Z

Links: CVE-2026-26066 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-17T16:00:11Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object