CVE-2026-26066
Received Received - Intake
Infinite Loop Vulnerability in ImageMagick IPTC Profile Handling

Publication date: 2026-02-24

Last updated on: 2026-02-24

Assigner: GitHub, Inc.

Description
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, a crafted profile contain invalid IPTC data may cause an infinite loop when writing it with `IPTCTEXT`. Versions 7.1.2-15 and 6.9.13-40 contain a patch.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-24
Last Modified
2026-02-24
Generated
2026-06-16
AI Q&A
2026-02-24
EPSS Evaluated
2026-06-15
NVD
CVE-2026-26066
EUVD
EUVD-2026-7415
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
imagemagick imagemagick to 6.9.13-40 (exc)
imagemagick imagemagick From 7.0.0-0 (inc) to 7.1.2-15 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-835 The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop.
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-26066 is a moderate severity vulnerability in ImageMagick, a software used for editing and manipulating digital images. The issue occurs in versions prior to 7.1.2-15 and 6.9.13-40 when a crafted profile containing invalid IPTC data causes an infinite loop during the writing of IPTCTEXT.

This infinite loop leads to uncontrolled resource consumption, effectively causing a denial of service (DoS) condition.

Impact Analysis

The vulnerability can impact you by causing a denial of service due to an infinite loop triggered by crafted invalid IPTC data.

This results in high impact on availability of the affected system or service, as resources are consumed uncontrollably.

The attack requires local access with low complexity, no privileges, and no user interaction.

It does not affect confidentiality or integrity.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability is triggered by processing crafted IPTC profiles with invalid data in ImageMagick versions prior to 7.1.2-15 and 6.9.13-40. Detection involves identifying if your system is running an affected version of ImageMagick and if any image files contain malformed IPTC profiles that could cause an infinite loop when writing IPTCTEXT.'}, {'type': 'paragraph', 'content': 'Since the vulnerability requires local access and is triggered during image processing, you can detect it by checking the installed ImageMagick version using the command:'}, {'type': 'list_item', 'content': 'magick --version'}, {'type': 'paragraph', 'content': "To detect potentially malicious or malformed IPTC data in images, you might use ImageMagick's identify command to inspect image profiles:"}, {'type': 'list_item', 'content': 'magick identify -verbose <image-file>'}, {'type': 'paragraph', 'content': 'Look specifically for IPTC profiles and verify their validity. However, no specific commands to automatically detect the crafted invalid IPTC data causing the infinite loop are provided.'}] [1]

Mitigation Strategies

The immediate mitigation step is to upgrade ImageMagick to a patched version that addresses this vulnerability. Specifically, update to version 7.1.2-15 or later, or 6.9.13-40 or later.

Until the upgrade can be applied, avoid processing untrusted images containing IPTC profiles, as the vulnerability is triggered by crafted IPTC data.

Additionally, restrict local access to systems running vulnerable versions to reduce the risk of exploitation, since the attack requires local access.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-26066. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart