Description
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-48 and 7.1.2-23, an attacker who can connect to a magick -distribute-cache service can hijack a file descriptor in the server process when a race condition is met. This issue has been patched in versions 6.9.13-48 and 7.1.2-23.
Published: 2026-06-10
Score: 4.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An attacker who can connect to the distributed pixel cache service of ImageMagick can trigger a race condition that results in the server process hijacking a file descriptor. This flaw is identified as a race condition with incomplete synchronization, highlighting a concurrency issue in the handling of shared resources.

Affected Systems

ImageMagick installations built prior to versions 6.9.13-48 and 7.1.2-23 are affected. The vulnerability applies when the distributed pixel cache service (magick -distribute-cache) is exposed to potential attackers.

Risk and Exploitability

The CVSS score of 4.1 indicates moderate impact. The EPSS score of less than 1 % shows a very low probability of exploitation. The vulnerability is not listed in CISA’s KEV catalog. Exploitation requires the attacker to be able to connect to the distributed cache service, implying that exposure of this service to untrusted networks is a prerequisite.

Generated by OpenCVE AI on June 13, 2026 at 02:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade ImageMagick to version 6.9.13‑48 or 7.1.2‑23 or later, where the race condition has been fixed.
  • If an upgrade is not possible, disable or block external access to the magick -distribute-cache service so that attackers cannot trigger the race condition.
  • Configure firewalls or network segmentation to restrict the distributed cache service to trusted hosts only, reducing the exposure of the vulnerable functionality.

Generated by OpenCVE AI on June 13, 2026 at 02:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4609-1 imagemagick security update
Debian DSA Debian DSA DSA-6298-1 imagemagick security update
Debian DSA Debian DSA DSA-6310-1 imagemagick security update
Github GHSA Github GHSA GHSA-4g75-9r48-jf92 ImageMagick: Race Condition in distributed pixel cache server can result in file descriptor hijacking
History

Sat, 13 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-910
References
Metrics threat_severity

None

threat_severity

Low


Thu, 11 Jun 2026 18:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:imagemagick:imagemagick:*:*:*:*:*:*:*:*

Thu, 11 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 10 Jun 2026 23:45:00 +0000

Type Values Removed Values Added
First Time appeared Imagemagick
Imagemagick imagemagick
Vendors & Products Imagemagick
Imagemagick imagemagick

Wed, 10 Jun 2026 22:30:00 +0000

Type Values Removed Values Added
Description ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-48 and 7.1.2-23, an attacker who can connect to a magick -distribute-cache service can hijack a file descriptor in the server process when a race condition is met. This issue has been patched in versions 6.9.13-48 and 7.1.2-23.
Title ImageMagick: Race Condition in distributed pixel cache server can result in file descriptor hijacking
Weaknesses CWE-362
CWE-567
References
Metrics cvssV3_1

{'score': 4.1, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N'}


Subscriptions

Imagemagick Imagemagick
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-11T13:12:40.196Z

Reserved: 2026-05-15T23:26:58.308Z

Link: CVE-2026-46693

cve-icon Vulnrichment

Updated: 2026-06-11T13:12:36.915Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-10T23:16:47.597

Modified: 2026-06-11T18:42:24.193

Link: CVE-2026-46693

cve-icon Redhat

Severity : Low

Publid Date: 2026-06-10T21:47:41Z

Links: CVE-2026-46693 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-13T02:30:06Z

Weaknesses
  • CWE-362

    Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

  • CWE-567

    Unsynchronized Access to Shared Data in a Multithreaded Context

  • CWE-910

    Use of Expired File Descriptor