CVE-2026-55595
Undergoing Analysis Undergoing Analysis - In Progress

Infinite Loop in ImageMagick via Invalid Connected-Components Arguments

Vulnerability report for CVE-2026-55595, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-01

Last updated on: 2026-07-01

Assigner: GitHub, Inc.

Description

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-51 and 7.1.2-26, when providing invalid arguments to the connected-components option an infinite loop will occur. This issue has been fixed in versions 6.9.13-51 and 7.1.2-26.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-01
Last Modified
2026-07-01
Generated
2026-07-02
AI Q&A
2026-07-01
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
image_magick image_magick to 7.1.2-26|end_excluding=6.9.13-51 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.
CWE-835 The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The CVE-2026-55595 vulnerability affects ImageMagick versions prior to 7.1.2-26 and 6.9.13-51. When invalid arguments are provided to the connected-components option, it triggers an infinite loop.

This infinite loop occurs due to uncontrolled resource consumption (CWE-400) and an unreachable exit condition in a loop (CWE-835).

The issue has been fixed in versions 7.1.2-26 and 6.9.13-51.

Impact Analysis

This vulnerability can cause a high availability loss by triggering an infinite loop that consumes resources uncontrollably.

It does not affect confidentiality or integrity.

The attack requires local access, high complexity, no privileges, and user interaction.

Detection Guidance

This vulnerability occurs when invalid arguments are provided to the connected-components option in ImageMagick, causing an infinite loop due to uncontrolled resource consumption.

To detect this vulnerability on your system, you can check the installed version of ImageMagick to see if it is prior to versions 6.9.13-51 or 7.1.2-26, which are the patched versions.

  • Run the command `magick -version` or `convert -version` to determine the installed ImageMagick version.
  • If the version is older than 6.9.13-51 or 7.1.2-26, your system is vulnerable.

Additionally, you can attempt to test the connected-components option with invalid arguments in a controlled environment to observe if an infinite loop or resource exhaustion occurs, but this requires local access and user interaction.

Mitigation Strategies

The primary mitigation step is to upgrade ImageMagick to a fixed version.

  • Update ImageMagick to version 6.9.13-51 or later, or 7.1.2-26 or later, where this vulnerability has been patched.

Since the vulnerability requires local access and user interaction, restricting untrusted users from executing ImageMagick commands or processing untrusted input can also reduce risk.

Monitor resource usage when using the connected-components option to detect abnormal behavior until the update is applied.

Compliance Impact

The vulnerability in ImageMagick (CVE-2026-55595) causes an infinite loop leading to high availability loss but does not affect confidentiality or integrity of data.

Since confidentiality and integrity remain unaffected, the vulnerability is unlikely to directly impact compliance with standards focused on data protection such as GDPR or HIPAA.

However, the availability impact could affect service continuity requirements under some regulations, but no explicit compliance implications are detailed in the provided information.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-55595. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart