CVE-2026-26066
Infinite Loop Vulnerability in ImageMagick IPTC Profile Handling
Publication date: 2026-02-24
Last updated on: 2026-02-24
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| imagemagick | imagemagick | to 6.9.13-40 (exc) |
| imagemagick | imagemagick | From 7.0.0-0 (inc) to 7.1.2-15 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-835 | The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop. |
| CWE-400 | The product does not properly control the allocation and maintenance of a limited resource. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-26066 is a moderate severity vulnerability in ImageMagick, a software used for editing and manipulating digital images. The issue occurs in versions prior to 7.1.2-15 and 6.9.13-40 when a crafted profile containing invalid IPTC data causes an infinite loop during the writing of IPTCTEXT.
This infinite loop leads to uncontrolled resource consumption, effectively causing a denial of service (DoS) condition.
How can this vulnerability impact me? :
The vulnerability can impact you by causing a denial of service due to an infinite loop triggered by crafted invalid IPTC data.
This results in high impact on availability of the affected system or service, as resources are consumed uncontrollably.
The attack requires local access with low complexity, no privileges, and no user interaction.
It does not affect confidentiality or integrity.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability is triggered by processing crafted IPTC profiles with invalid data in ImageMagick versions prior to 7.1.2-15 and 6.9.13-40. Detection involves identifying if your system is running an affected version of ImageMagick and if any image files contain malformed IPTC profiles that could cause an infinite loop when writing IPTCTEXT.'}, {'type': 'paragraph', 'content': 'Since the vulnerability requires local access and is triggered during image processing, you can detect it by checking the installed ImageMagick version using the command:'}, {'type': 'list_item', 'content': 'magick --version'}, {'type': 'paragraph', 'content': "To detect potentially malicious or malformed IPTC data in images, you might use ImageMagick's identify command to inspect image profiles:"}, {'type': 'list_item', 'content': 'magick identify -verbose <image-file>'}, {'type': 'paragraph', 'content': 'Look specifically for IPTC profiles and verify their validity. However, no specific commands to automatically detect the crafted invalid IPTC data causing the infinite loop are provided.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade ImageMagick to a patched version that addresses this vulnerability. Specifically, update to version 7.1.2-15 or later, or 6.9.13-40 or later.
Until the upgrade can be applied, avoid processing untrusted images containing IPTC profiles, as the vulnerability is triggered by crafted IPTC data.
Additionally, restrict local access to systems running vulnerable versions to reduce the risk of exploitation, since the attack requires local access.