Description
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-48 and 7.1.2-23, an attacker who can connect to a magick -distribute-cache service can hijack a file descriptor in the server process when a race condition is met. This issue has been patched in versions 6.9.13-48 and 7.1.2-23.
Published: 2026-06-10
Score: 4.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An attacker who can connect to the ImageMagick distributed pixel cache service can trigger a race condition that results in the server process hijacking a file descriptor. This flaw places the attacker in a position to manipulate file descriptors that the server may use for subsequent operations, potentially enabling unauthorized access to file contents or execution of privileged code if those descriptors are exploited. The vulnerability is described by CWE-362 (Race Condition) and CWE-567 (Incomplete Synchronization).

Affected Systems

ImageMagick installations running versions prior to 6.9.13-48 and 7.1.2-23 are affected. The vulnerability was specifically identified in the distributed cache feature of the gendered 'magick -distribute-cache' service.

Risk and Exploitability

The CVSS score for this issue is 4.1, indicating a moderate impact. The exploit probability (EPSS) is not available, so there is insufficient data to assess likelihood. The vulnerability is not listed in CISA’s KEV catalog, suggesting it has not yet been widely exploited. The attacker must be able to communicate with the distributed cache service, implying that exposure of this service to untrusted networks is a prerequisite for exploitation. If that exposure exists, the race condition provides an opportunity to hijack file descriptors, which could lead to broader compromise depending on the privileges of the ImageMagick process.

Generated by OpenCVE AI on June 10, 2026 at 23:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade ImageMagick to version 6.9.13-48 or 7.1.2-23 or later, where the race condition has been patched.
  • If an upgrade is not immediately possible, disable or block external access to the magick -distribute-cache service so that attackers cannot trigger the race condition.
  • Implement network segmentation or firewall rules to limit exposure of the distributed cache service to trusted hosts only, reducing the attack surface for this vulnerability.

Generated by OpenCVE AI on June 10, 2026 at 23:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4609-1 imagemagick security update
Debian DSA Debian DSA DSA-6298-1 imagemagick security update
Debian DSA Debian DSA DSA-6310-1 imagemagick security update
Github GHSA Github GHSA GHSA-4g75-9r48-jf92 ImageMagick: Race Condition in distributed pixel cache server can result in file descriptor hijacking
History

Thu, 11 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 10 Jun 2026 23:45:00 +0000

Type Values Removed Values Added
First Time appeared Imagemagick
Imagemagick imagemagick
Vendors & Products Imagemagick
Imagemagick imagemagick

Wed, 10 Jun 2026 22:30:00 +0000

Type Values Removed Values Added
Description ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-48 and 7.1.2-23, an attacker who can connect to a magick -distribute-cache service can hijack a file descriptor in the server process when a race condition is met. This issue has been patched in versions 6.9.13-48 and 7.1.2-23.
Title ImageMagick: Race Condition in distributed pixel cache server can result in file descriptor hijacking
Weaknesses CWE-362
CWE-567
References
Metrics cvssV3_1

{'score': 4.1, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Imagemagick Imagemagick
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-11T13:12:40.196Z

Reserved: 2026-05-15T23:26:58.308Z

Link: CVE-2026-46693

cve-icon Vulnrichment

Updated: 2026-06-11T13:12:36.915Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-10T23:16:47.597

Modified: 2026-06-11T15:15:54.900

Link: CVE-2026-46693

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T23:30:44Z

Weaknesses
  • CWE-362

    Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

  • CWE-567

    Unsynchronized Access to Shared Data in a Multithreaded Context