Infinite Loop, Infinite Pain: Analyzing CVE-2026-26066 in ImageMagick
Vulnerability ID: CVE-2026-26066
CVSS Score: 6.2
Published: 2026-02-24
A logic error in ImageMagick's IPTC metadata parser allows for a trivial Denial of Service (DoS) attack. By supplying a crafted image file, an attacker can trap the processing thread in an infinite loop, causing 100% CPU utilization and potentially taking down image processing pipelines.
TL;DR
ImageMagick contains an infinite loop vulnerability in coders/meta.c. A malicious image with invalid IPTC data can cause the parser to get stuck reading the same byte forever, resulting in a Denial of Service. Patch immediately to 7.1.2-15 or 6.9.13-40.
Technical Details
- CWE: CWE-835 (Infinite Loop)
- CVSS v3.1: 6.2 (Medium)
- Attack Vector: Local (User Supplied File)
- Availability Impact: High (DoS)
- Exploit Status: Trivial / No Public PoC yet
- EPSS Score: 0.00013 (Low probability)
Affected Systems
- ImageMagick 7.x < 7.1.2-15
- ImageMagick 6.x < 6.9.13-40
- Magick.NET < 14.10.3
- Web applications allowing image uploads
- Content Management Systems (CMS) using ImageMagick
-
ImageMagick v7: >= 7.0.0-0, < 7.1.2-15 (Fixed in:
7.1.2-15) -
ImageMagick v6: < 6.9.13-40 (Fixed in:
6.9.13-40) -
Magick.NET: < 14.10.3 (Fixed in:
14.10.3)
Code Analysis
Commit: 880057c
Fix infinite loop in formatIPTC by ensuring ReadBlobByte is called in else block
- c=0;
+ c=ReadBlobByte(ifile);
Mitigation Strategies
- Update ImageMagick binaries
- Implement strict process timeouts for image processing workers
- Monitor CPU usage spikes correlated with file uploads
Remediation Steps:
- Identify the current version:
magick --version - If version < 7.1.2-15 or < 6.9.13-40, upgrade immediately.
- For .NET environments, update the Magick.NET NuGet package to 14.10.3.
References
Read the full report for CVE-2026-26066 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)