CVE-2026-26283
Infinite Loop DoS in ImageMagick JPEG Encoder Causes CPU Hang
Publication date: 2026-02-24
Last updated on: 2026-02-24
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| imagemagick | imagemagick | to 6.9.13-40 (exc) |
| imagemagick | imagemagick | From 7.0.0-0 (inc) to 7.1.2-15 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-835 | The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2026-26283 is a vulnerability in ImageMagick's JPEG encoder caused by a 'continue' statement inside a binary search loop for the jpeg:extent parameter. This coding issue leads to an infinite loop when persistent write failures occur during JPEG encoding."}, {'type': 'paragraph', 'content': 'An attacker can exploit this by crafting a specially designed image that triggers the infinite loop, causing the process to hang and consume 100% CPU resources.'}, {'type': 'paragraph', 'content': 'This results in a Denial of Service (DoS) condition, where the affected system becomes unresponsive due to resource exhaustion.'}] [1]
How can this vulnerability impact me? :
The vulnerability can cause a Denial of Service (DoS) by making the ImageMagick process hang and consume 100% CPU, leading to resource exhaustion.
This can disrupt services or applications that rely on ImageMagick for image processing, potentially causing downtime or degraded performance.
Since the attack requires only local access and no privileges or user interaction, it could be exploited by an attacker with limited access to the system.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability causes an infinite loop in the JPEG encoder of ImageMagick when processing crafted images, leading to 100% CPU usage and process hang.'}, {'type': 'paragraph', 'content': 'Detection can involve monitoring for unusually high CPU usage by ImageMagick processes, especially when handling JPEG images.'}, {'type': 'paragraph', 'content': 'Specific commands to detect this condition might include:'}, {'type': 'list_item', 'content': "Using system monitoring tools like 'top' or 'htop' to identify ImageMagick processes consuming 100% CPU."}, {'type': 'list_item', 'content': "Using 'ps aux | grep convert' (or the relevant ImageMagick command) to find hung or stuck processes."}, {'type': 'list_item', 'content': 'Checking logs or running ImageMagick commands on suspect JPEG images in a controlled environment to see if the process hangs.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade ImageMagick to a patched version, specifically version 7.1.2-15 or later, or 6.9.13-40 or later.
Until the upgrade can be applied, consider restricting or sanitizing untrusted JPEG images before processing with ImageMagick to prevent crafted images from triggering the vulnerability.
Additionally, monitor ImageMagick processes for abnormal CPU usage and terminate any hung processes to reduce denial of service impact.