Description
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-47 and 7.1.2-22, because of a missing check in the MNG coder it would be possible to read more images than the list limit policy would allow resulting in excessive resource use. This issue has been patched in versions 6.9.13-47 and 7.1.2-22.
Published: 2026-06-10
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from a missing validation in ImageMagick's MNG coder. A crafted MNG image can trigger processing of more images than allowed by the policy limit, leading to uncontrolled consumption of CPU and memory resources. The weakness corresponds to CWE‑400 and related Resource Exhaustion issues, including CWE‑770, with the potential to degrade or deny service on the hosting system.

Affected Systems

The issue affects installations of ImageMagick older than version 6.9.13‑47 and 7.1.2‑22. Any system running the open‑source image manipulation suite without the recent patch is vulnerable. The vulnerability does not target specific products beyond the core ImageMagick releases, so all derivatives that include the uninformed MNG coder are impacted until an upgrade.

Risk and Exploitability

The CVSS base score of 5.3 indicates moderate severity. The EPSS is unavailable, so the current likelihood of exploitation remains unknown. The vulnerability is not listed in CISA KEV, suggesting no known widespread exploitation. Based on the description, the attack window is a privileged or local attacker who can supply a malicious MNG file to a running ImageMagick process. If backend services routinely parse image uploads, the risk of a denial‑of‑service attack is substantial.

Generated by OpenCVE AI on June 11, 2026 at 13:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade ImageMagick to version 6.9.13‑47 or newer (7.1.2‑22 or later).
  • Verify that the policy limit configured for MNG images is enforced and meets operational requirements.
  • Run ImageMagick in a resource‑constrained environment or container, limiting CPU and memory to prevent exhaustion.

Generated by OpenCVE AI on June 11, 2026 at 13:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4609-1 imagemagick security update
Debian DSA Debian DSA DSA-6298-1 imagemagick security update
Debian DSA Debian DSA DSA-6310-1 imagemagick security update
Github GHSA Github GHSA GHSA-g5mf-wqq5-vwg6 ImageMagick: Policy Bypass in MNG coder could
History

Thu, 11 Jun 2026 18:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:imagemagick:imagemagick:*:*:*:*:*:*:*:*

Thu, 11 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 11 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-770
References
Metrics threat_severity

None

threat_severity

Important


Wed, 10 Jun 2026 22:45:00 +0000

Type Values Removed Values Added
First Time appeared Imagemagick
Imagemagick imagemagick
Vendors & Products Imagemagick
Imagemagick imagemagick

Wed, 10 Jun 2026 21:45:00 +0000

Type Values Removed Values Added
Description ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-47 and 7.1.2-22, because of a missing check in the MNG coder it would be possible to read more images than the list limit policy would allow resulting in excessive resource use. This issue has been patched in versions 6.9.13-47 and 7.1.2-22.
Title ImageMagick: Policy Bypass in MNG coder could
Weaknesses CWE-400
CWE-407
CWE-674
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}


Subscriptions

Imagemagick Imagemagick
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-30T12:10:19.925Z

Reserved: 2026-05-12T21:59:25.665Z

Link: CVE-2026-45664

cve-icon Vulnrichment

Updated: 2026-06-30T03:16:12.807Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-10T22:16:58.910

Modified: 2026-06-11T18:41:47.433

Link: CVE-2026-45664

cve-icon Redhat

Severity : Important

Publid Date: 2026-06-10T21:30:51Z

Links: CVE-2026-45664 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-11T13:30:15Z

Weaknesses
  • CWE-400

    Uncontrolled Resource Consumption

  • CWE-407

    Inefficient Algorithmic Complexity

  • CWE-674

    Uncontrolled Recursion

  • CWE-770

    Allocation of Resources Without Limits or Throttling