Description
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2.23 and 6.9.13-48, due to a missing check in the MIFF decoder, a crafted file could cause an infinite loop resulting in CPU exhaustion. Versions 7.1.2.23 and 6.9.13-48 fix the issue.
Published: 2026-06-10
Score: 7.5 High
EPSS: 1.8% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A crafted MIFF image file can trigger an infinite loop in the ImageMagick MIFF decoder. The loop consumes CPU cycles without termination, degrading system performance or halting it entirely. This weakness is linked to improper input validation (CWE‑400) and lack of loop termination control (CWE‑835). An attacker could inject such a file into any system that processes images with ImageMagick, leading to denial of service for legitimate users.

Affected Systems

Employees using ImageMagick versions before 7.1.2.23 or 6.9.13‑48 are at risk. The vulnerability applies to all installations of ImageMagick, the open‑source image manipulation library, across Windows, Linux, and macOS. Critical sites serving user‑uploaded images or generating thumbnails are especially exposed if they rely on unsupported ImageMagick releases.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity attack that would be considered high risk by most organizations. Because the EPSS score is 1%, the current exploitation probability is very low, yet the vulnerability is still actionable. The lack of a KEV listing suggests no known mass exploitation has been documented yet. The most likely attack vector is the supply of a malicious MIFF file to an application that imports or converts images, which is a common web‑application scenario. No user privilege escalation is required; the impact remains confined to service availability.

Generated by OpenCVE AI on June 11, 2026 at 21:16 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade ImageMagick to 7.1.2.23 or later, or to 6.9.13‑48 or later; update all packages that depend on ImageMagick.
  • Apply any vendor‑supplied patch for earlier ImageMagick releases if upgrading is delayed.
  • If an upgrade is not possible, sanitize or reject MIFF files before processing, and consider isolating image handling in a sandbox with CPU limits and strict timeouts.
  • Monitor CPU utilization for abnormal spikes that may indicate exploitation attempts and enforce application level rate limiting on image uploads.

Generated by OpenCVE AI on June 11, 2026 at 21:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4609-1 imagemagick security update
Debian DSA Debian DSA DSA-6298-1 imagemagick security update
Debian DSA Debian DSA DSA-6310-1 imagemagick security update
Github GHSA Github GHSA GHSA-7gg8-qqx7-92g5 ImageMagick: Infinite Loop in the MIFF decoder can lead to CPU exhaustion
History

Thu, 11 Jun 2026 18:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:imagemagick:imagemagick:*:*:*:*:*:*:*:*

Thu, 11 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 11 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

threat_severity

Important


Wed, 10 Jun 2026 22:45:00 +0000

Type Values Removed Values Added
First Time appeared Imagemagick
Imagemagick imagemagick
Vendors & Products Imagemagick
Imagemagick imagemagick

Wed, 10 Jun 2026 21:45:00 +0000

Type Values Removed Values Added
Description ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2.23 and 6.9.13-48, due to a missing check in the MIFF decoder, a crafted file could cause an infinite loop resulting in CPU exhaustion. Versions 7.1.2.23 and 6.9.13-48 fix the issue.
Title ImageMagick: Infinite Loop in the MIFF decoder can lead to CPU exhaustion
Weaknesses CWE-400
CWE-835
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}


Subscriptions

Imagemagick Imagemagick
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-30T12:10:04.454Z

Reserved: 2026-05-14T19:12:32.755Z

Link: CVE-2026-46522

cve-icon Vulnrichment

Updated: 2026-06-30T03:16:13.085Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-10T22:16:59.333

Modified: 2026-06-11T18:41:56.037

Link: CVE-2026-46522

cve-icon Redhat

Severity : Important

Publid Date: 2026-06-10T21:30:41Z

Links: CVE-2026-46522 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-11T21:30:05Z

Weaknesses
  • CWE-400

    Uncontrolled Resource Consumption

  • CWE-835

    Loop with Unreachable Exit Condition ('Infinite Loop')