Description
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-47 and 7.1.2-22, because of a missing check in the MNG coder it would be possible to read more images than the list limit policy would allow resulting in excessive resource use. This issue has been patched in versions 6.9.13-47 and 7.1.2-22.
Published: 2026-06-10
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from a missing validation in ImageMagick's MNG coder. A crafted MNG image can trigger processing of more images than allowed by the policy limit, leading to uncontrolled consumption of CPU and memory resources. The weakness corresponds to CWE‑400 and related Resource Exhaustion issues, with the potential to degrade or deny service on the hosting system.

Affected Systems

The issue affects installations of ImageMagick older than version 6.9.13‑47 and 7.1.2‑22. Any system running the open‑source image manipulation suite without the recent patch is vulnerable. The vulnerability does not target specific products beyond the core ImageMagick releases, so all derivatives that include the uninformed MNG coder are impacted until an upgrade.

Risk and Exploitability

The CVSS base score of 5.3 indicates moderate severity. The EPSS is unavailable, so the current likelihood of exploitation remains unknown. The vulnerability is not listed in CISA KEV, suggesting no known widespread exploitation. Based on the description, the attack window is a privileged or local attacker who can supply a malicious MNG file to a running ImageMagick process. If backend services routinely parse image uploads, the risk of a denial‑of‑service attack is substantial.

Generated by OpenCVE AI on June 10, 2026 at 22:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade ImageMagick to version 6.9.13‑47 or newer (7.1.2‑22 or later).
  • Verify that the policy limit configured for MNG images is enforced and meets operational requirements.
  • Run ImageMagick in a resource‑constrained environment or container, limiting CPU and memory to prevent exhaustion.

Generated by OpenCVE AI on June 10, 2026 at 22:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4609-1 imagemagick security update
Debian DSA Debian DSA DSA-6298-1 imagemagick security update
Debian DSA Debian DSA DSA-6310-1 imagemagick security update
Github GHSA Github GHSA GHSA-g5mf-wqq5-vwg6 ImageMagick: Policy Bypass in MNG coder could
History

Wed, 10 Jun 2026 22:45:00 +0000

Type Values Removed Values Added
First Time appeared Imagemagick
Imagemagick imagemagick
Vendors & Products Imagemagick
Imagemagick imagemagick

Wed, 10 Jun 2026 21:45:00 +0000

Type Values Removed Values Added
Description ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-47 and 7.1.2-22, because of a missing check in the MNG coder it would be possible to read more images than the list limit policy would allow resulting in excessive resource use. This issue has been patched in versions 6.9.13-47 and 7.1.2-22.
Title ImageMagick: Policy Bypass in MNG coder could
Weaknesses CWE-400
CWE-407
CWE-674
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

Subscriptions

Imagemagick Imagemagick
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-10T21:30:51.855Z

Reserved: 2026-05-12T21:59:25.665Z

Link: CVE-2026-45664

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-10T22:16:58.910

Modified: 2026-06-10T22:16:58.910

Link: CVE-2026-45664

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T22:30:22Z

Weaknesses