CVE-2026-26283
Received Received - Intake
Infinite Loop DoS in ImageMagick JPEG Encoder Causes CPU Hang

Publication date: 2026-02-24

Last updated on: 2026-02-24

Assigner: GitHub, Inc.

Description
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, a `continue` statement in the JPEG extent binary search loop in the jpeg encoder causes an infinite loop when writing persistently fails. An attacker can trigger a 100% CPU consumption and process hang (Denial of Service) with a crafted image. Versions 7.1.2-15 and 6.9.13-40 contain a patch.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-24
Last Modified
2026-02-24
Generated
2026-06-16
AI Q&A
2026-02-24
EPSS Evaluated
2026-06-15
NVD
CVE-2026-26283
EUVD
EUVD-2026-7414
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
imagemagick imagemagick to 6.9.13-40 (exc)
imagemagick imagemagick From 7.0.0-0 (inc) to 7.1.2-15 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-835 The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-26283 is a vulnerability in ImageMagick's JPEG encoder caused by a 'continue' statement inside a binary search loop for the jpeg:extent parameter. This coding issue leads to an infinite loop when persistent write failures occur during JPEG encoding."}, {'type': 'paragraph', 'content': 'An attacker can exploit this by crafting a specially designed image that triggers the infinite loop, causing the process to hang and consume 100% CPU resources.'}, {'type': 'paragraph', 'content': 'This results in a Denial of Service (DoS) condition, where the affected system becomes unresponsive due to resource exhaustion.'}] [1]

Impact Analysis

The vulnerability can cause a Denial of Service (DoS) by making the ImageMagick process hang and consume 100% CPU, leading to resource exhaustion.

This can disrupt services or applications that rely on ImageMagick for image processing, potentially causing downtime or degraded performance.

Since the attack requires only local access and no privileges or user interaction, it could be exploited by an attacker with limited access to the system.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability causes an infinite loop in the JPEG encoder of ImageMagick when processing crafted images, leading to 100% CPU usage and process hang.'}, {'type': 'paragraph', 'content': 'Detection can involve monitoring for unusually high CPU usage by ImageMagick processes, especially when handling JPEG images.'}, {'type': 'paragraph', 'content': 'Specific commands to detect this condition might include:'}, {'type': 'list_item', 'content': "Using system monitoring tools like 'top' or 'htop' to identify ImageMagick processes consuming 100% CPU."}, {'type': 'list_item', 'content': "Using 'ps aux | grep convert' (or the relevant ImageMagick command) to find hung or stuck processes."}, {'type': 'list_item', 'content': 'Checking logs or running ImageMagick commands on suspect JPEG images in a controlled environment to see if the process hangs.'}] [1]

Mitigation Strategies

The primary mitigation is to upgrade ImageMagick to a patched version, specifically version 7.1.2-15 or later, or 6.9.13-40 or later.

Until the upgrade can be applied, consider restricting or sanitizing untrusted JPEG images before processing with ImageMagick to prevent crafted images from triggering the vulnerability.

Additionally, monitor ImageMagick processes for abnormal CPU usage and terminate any hung processes to reduce denial of service impact.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-26283. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart