CVE-2026-46522
Modified Modified - Updated After Analysis

Denial of Service in ImageMagick via MIFF Decoder

Vulnerability report for CVE-2026-46522, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-10

Last updated on: 2026-06-30

Assigner: GitHub, Inc.

Description

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2.23 and 6.9.13-48, due to a missing check in the MIFF decoder, a crafted file could cause an infinite loop resulting in CPU exhaustion. Versions 7.1.2.23 and 6.9.13-48 fix the issue.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-10
Last Modified
2026-06-30
Generated
2026-07-01
AI Q&A
2026-06-11
EPSS Evaluated
2026-06-30
NVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
imagemagick imagemagick to 6.9.13-48 (exc)
imagemagick imagemagick From 7.0.0-0 (inc) to 7.1.2-23 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.
CWE-835 The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in ImageMagick, a free and open-source software used for editing and manipulating digital images. Due to a missing check in the MIFF decoder in versions prior to 7.1.2.23 and 6.9.13-48, a specially crafted file can cause the software to enter an infinite loop. This infinite loop results in CPU exhaustion, which can degrade system performance or cause denial of service.

Impact Analysis

The vulnerability can lead to CPU exhaustion by causing ImageMagick to enter an infinite loop when processing a crafted MIFF file. This can result in denial of service conditions, where the affected system's resources are heavily consumed, potentially making the system unresponsive or slowing down other processes.

Mitigation Strategies

To mitigate this vulnerability, update ImageMagick to version 7.1.2.23 or later, or 6.9.13-48 or later, as these versions contain the fix for the infinite loop issue in the MIFF decoder.

Compliance Impact

This vulnerability causes an infinite loop resulting in CPU exhaustion but does not directly impact confidentiality, integrity, or availability of data.

Since the vulnerability does not lead to data breaches or unauthorized data access, it does not directly affect compliance with standards like GDPR or HIPAA, which focus on protecting personal and sensitive data.

However, denial of service conditions caused by CPU exhaustion could indirectly impact availability requirements under such regulations.

Detection Guidance

This vulnerability causes an infinite loop in the MIFF decoder of ImageMagick when processing crafted files, leading to CPU exhaustion.

To detect exploitation attempts or the presence of this vulnerability on your system, you can monitor for unusually high CPU usage by ImageMagick processes, especially when handling MIFF image files.

Suggested commands to help detect potential exploitation or vulnerability presence include:

  • Use system monitoring tools like 'top' or 'htop' to observe CPU usage spikes related to ImageMagick processes.
  • Use 'ps aux | grep convert' (or the relevant ImageMagick binary) to identify running ImageMagick processes consuming high CPU.
  • Check logs or monitor network traffic for incoming MIFF files or suspicious image processing requests.
  • If you have access to the files being processed, you can attempt to identify crafted MIFF files by scanning for unusual or malformed MIFF images.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-46522. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart