Description
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, a `continue` statement in the JPEG extent binary search loop in the jpeg encoder causes an infinite loop when writing persistently fails. An attacker can trigger a 100% CPU consumption and process hang (Denial of Service) with a crafted image. Versions 7.1.2-15 and 6.9.13-40 contain a patch.
Published: 2026-02-24
Score: 6.2 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Patch
AI Analysis

Impact

ImageMagick contains a flaw that can cause an infinite loop while encoding JPEG images that use the `jpeg:extent` option. The bug stems from a `continue` statement inside the binary‑search loop for determining file extent, which, when encode operations fail, never terminates and consumes 100 % of CPU resources. An attacker can craft a malicious image to trigger this behavior, leading to a denial of service by hanging the image‑processing process.

Affected Systems

All versions of ImageMagick released before 7.1.2‑15 and before 6.9.13‑40 are affected. The vendor, ImageMagick, provides a patch that was included in these two releases. The software is commonly used in web servers, image‑managing applications, and content‑delivery systems that convert or compress JPEG images.

Risk and Exploitability

The vulnerability has a CVSS score of 6.2, indicating a medium impact. EPSS is reported as less than 1 %, implying a very low probability of exploitation in the wild, and it is not listed in the CISA KEV catalog. Nevertheless, attackers could exploit the flaw by supplying a crafted JPEG to any system that encodes images with the `jpeg:extent` option, causing the process to consume all CPU cycles and eventually become unresponsive. The attack vector is inferred to be local or remote through image upload or automated rendering services.

Generated by OpenCVE AI on April 17, 2026 at 15:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade ImageMagick to version 7.1.2-15 or later, or 6.9.13-40 or later, to apply the official patch.
  • If an upgrade cannot be performed immediately, disable the jpeg:extent option or validate image inputs to prevent untrusted files from reaching the encoder.
  • Apply system‑level resource limits such as CPU quotas or cgroups to contain runaway CPU usage and mitigate the impact of any remaining loops.

Generated by OpenCVE AI on April 17, 2026 at 15:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4497-1 imagemagick security update
Debian DSA Debian DSA DSA-6158-1 imagemagick security update
Debian DSA Debian DSA DSA-6159-1 imagemagick security update
Github GHSA Github GHSA GHSA-gwr3-x37h-h84v ImageMagick has a possible infinite loop in its JPEG encoder when using `jpeg:extent`
History

Tue, 24 Feb 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 24 Feb 2026 18:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:imagemagick:imagemagick:*:*:*:*:*:*:*:*

Tue, 24 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Tue, 24 Feb 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Imagemagick
Imagemagick imagemagick
Vendors & Products Imagemagick
Imagemagick imagemagick

Tue, 24 Feb 2026 03:00:00 +0000

Type Values Removed Values Added
Description ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, a `continue` statement in the JPEG extent binary search loop in the jpeg encoder causes an infinite loop when writing persistently fails. An attacker can trigger a 100% CPU consumption and process hang (Denial of Service) with a crafted image. Versions 7.1.2-15 and 6.9.13-40 contain a patch.
Title ImageMagick has possible infinite loop in JPEG encoder when using `jpeg:extent`
Weaknesses CWE-835
References
Metrics cvssV3_1

{'score': 6.2, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Imagemagick Imagemagick
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-24T20:47:41.990Z

Reserved: 2026-02-12T17:10:53.414Z

Link: CVE-2026-26283

cve-icon Vulnrichment

Updated: 2026-02-24T20:47:36.776Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-24T03:16:01.290

Modified: 2026-02-24T18:41:35.010

Link: CVE-2026-26283

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-02-24T01:55:59Z

Links: CVE-2026-26283 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T16:00:11Z

Weaknesses