The flaw in ImageMagick’s PSD decoder allows a crafted PSD file to bypass the list‑length resource policy, effectively negating the limits intended to prevent the program from allocating excessive memory or processing large image files. The omission creates a potential for resource exhaustion, which could lead to a denial of service condition. Based on the description, the weakness is consistent with CWE‑400 (Uncontrolled Resource Consumption) and CWE‑770 (Allocation of Resource or Place for the Unexpected Object). Since no code execution is possible, the primary harm is degrading availability rather than compromising confidentiality or integrity.

The affected product is ImageMagick from ImageMagick:ImageMagick. Versions older than 6.9.13-47 and older than 7.1.2-22 are impacted. Newer releases patch the missing policy check and are not affected.

The CVSS score of 5.3 indicates a moderate severity, and the EPSS score is not available, so the precise exploitation probability cannot be quantified. The vulnerability is not listed in the CISA KEV catalog, pointing to a lower likelihood of widespread exploitation. Attackers must supply a malicious PSD file to the vulnerable system; if the system processes images from untrusted sources—such as a web service or a file upload endpoint—the risk can be escalated. In the absence of a public exploit, the threat remains primarily theoretical, but the resource‑exhaustion attack path could still be used to trigger DoS in high‑traffic environments.