Description
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-49 and 7.1.2-24, an infinite loop in the subimage-search operation can happen when using a crafted image. This issue has been patched in versions 6.9.13-49 and 7.1.2-24.
Published: 2026-06-10
Score: 4.7 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability exists because ImageMagick can enter an infinite loop during its subimage-search operation when processing a specially crafted image. The resulting endless cycle consumes system resources and can cause the application to hang or crash, effectively denying service to legitimate users. This weakness is classified as CWE-835, an infinite loop condition.

Affected Systems

The flaw affects all releases of ImageMagick prior to 6.9.13-49 and 7.1.2-24. Systems that use older ImageMagick binaries in any image processing pipeline—such as web servers, media converters, or content management systems—are potentially impacted.

Risk and Exploitability

ImageMagick receives a CVSS score of 4.7, indicating a moderate impact. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, suggesting limited known exploitation activity. The attack vector is inferred: an attacker would need to supply a crafted image to a vulnerable instance. Environments that accept user‑supplied images for processing—common in web services—are the most likely targets, though no privileged execution is required for exploitation.

Generated by OpenCVE AI on June 10, 2026 at 23:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade ImageMagick to version 6.9.13-49 or later, or 7.1.2-24 or later, to obtain the fix for the infinite loop issue.
  • Validate and sanitize all user‑supplied images before passing them to ImageMagick, ensuring that only properly formed images of expected size and format are processed.
  • If subimage-search functionality is not needed for your application, disable it or remove the code path entirely to eliminate the vulnerability.

Generated by OpenCVE AI on June 10, 2026 at 23:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 11 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 10 Jun 2026 23:45:00 +0000

Type Values Removed Values Added
First Time appeared Imagemagick
Imagemagick imagemagick
Vendors & Products Imagemagick
Imagemagick imagemagick

Wed, 10 Jun 2026 22:30:00 +0000

Type Values Removed Values Added
Description ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-49 and 7.1.2-24, an infinite loop in the subimage-search operation can happen when using a crafted image. This issue has been patched in versions 6.9.13-49 and 7.1.2-24.
Title ImageMagick: Infinite Loop in subimage-search with crafted image
Weaknesses CWE-835
References
Metrics cvssV3_1

{'score': 4.7, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H'}

Subscriptions

Imagemagick Imagemagick
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-10T21:53:35.587Z

Reserved: 2026-05-22T19:10:35.746Z

Link: CVE-2026-48733

cve-icon Vulnrichment

Updated: 2026-06-11T13:09:32.370Z

cve-icon NVD

Status : Received

Published: 2026-06-10T23:16:49.083

Modified: 2026-06-10T23:16:49.083

Link: CVE-2026-48733

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-11T00:00:14Z

Weaknesses
  • CWE-835

    Loop with Unreachable Exit Condition ('Infinite Loop')