Description
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2.23 and 6.9.13-48, due to a missing check in the MIFF decoder, a crafted file could cause an infinite loop resulting in CPU exhaustion. Versions 7.1.2.23 and 6.9.13-48 fix the issue.
Published: 2026-06-10
Score: 7.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A crafted MIFF image file can trigger an infinite loop in the ImageMagick MIFF decoder. The loop consumes CPU cycles without termination, degrading system performance or halting it entirely. This weakness is linked to improper input validation (CWE‑400) and lack of loop termination control (CWE‑835). An attacker could inject such a file into any system that processes images with ImageMagick, leading to denial of service for legitimate users.

Affected Systems

Employees using ImageMagick versions before 7.1.2.23 or 6.9.13‑48 are at risk. The vulnerability applies to all installations of ImageMagick, the open‑source image manipulation library, across Windows, Linux, and macOS. Critical sites serving user‑uploaded images or generating thumbnails are especially exposed if they rely on unsupported ImageMagick releases.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity attack that would be considered high risk by most organizations. Because the EPSS score is not available, the current exploitation probability cannot be quantified, but the lack of a KEV listing suggests no known mass exploitation has been documented yet. The most likely attack vector is the supply of a malicious MIFF file to an application that imports or converts images, which is a common web‑application scenario. No user privilege escalation is required; the impact remains confined to service availability.

Generated by OpenCVE AI on June 10, 2026 at 22:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade ImageMagick to 7.1.2.23 or later, or to 6.9.13‑48 or later; update all packages that depend on ImageMagick.
  • Apply any vendor‑supplied patch for earlier ImageMagick releases if upgrading is delayed.
  • If an upgrade is not possible, sanitize or reject MIFF files before processing, and consider isolating image handling in a sandbox with CPU limits and strict timeouts.
  • Monitor CPU utilization for abnormal spikes that may indicate exploitation attempts and enforce application level rate limiting on image uploads.

Generated by OpenCVE AI on June 10, 2026 at 22:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4609-1 imagemagick security update
Debian DSA Debian DSA DSA-6298-1 imagemagick security update
Debian DSA Debian DSA DSA-6310-1 imagemagick security update
Github GHSA Github GHSA GHSA-7gg8-qqx7-92g5 ImageMagick: Infinite Loop in the MIFF decoder can lead to CPU exhaustion
History

Wed, 10 Jun 2026 22:45:00 +0000

Type Values Removed Values Added
First Time appeared Imagemagick
Imagemagick imagemagick
Vendors & Products Imagemagick
Imagemagick imagemagick

Wed, 10 Jun 2026 21:45:00 +0000

Type Values Removed Values Added
Description ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2.23 and 6.9.13-48, due to a missing check in the MIFF decoder, a crafted file could cause an infinite loop resulting in CPU exhaustion. Versions 7.1.2.23 and 6.9.13-48 fix the issue.
Title ImageMagick: Infinite Loop in the MIFF decoder can lead to CPU exhaustion
Weaknesses CWE-400
CWE-835
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Imagemagick Imagemagick
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-10T21:30:41.682Z

Reserved: 2026-05-14T19:12:32.755Z

Link: CVE-2026-46522

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-10T22:16:59.333

Modified: 2026-06-10T22:16:59.333

Link: CVE-2026-46522

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T22:30:22Z

Weaknesses