CVE-2026-24485Uncontrolled Resource Consumption in Imagemagick

CWE-400Uncontrolled Resource ConsumptionCWE-835Infinite Loop8 documents7 sources
Severity
7.5HIGHNVD
EPSS
0.0%
top 95.33%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
ImagemagickDlemstra Magick.net
Timeline
PublishedFeb 24

Description

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, when a PCD file does not contain a valid Sync marker, the DecodeImage() function becomes trapped in an infinite loop while searching for the Sync marker, causing the program to become unresponsive and continuously consume CPU resources, ultimately leading to system resource exhaustion and denial of service. Versions 7.1.2-15 and 6.9.13-40 contain a patch.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages4 packages

CVEListV5imagemagick/imagemagick< 6.9.13-40+1
NVDimagemagick/imagemagick7.0.0-07.1.2-15+1
Debianimagemagick/imagemagick< 8:6.9.11.60+dfsg-1.3+deb11u10+3
NVDdlemstra/magick.net< 14.10.3

Patches

Patch: github.com

🔴Vulnerability Details

4
OSV
CVE-2026-24485: ImageMagick is free and open-source software used for editing and manipulating digital images2026-02-24
GHSA
ImageMagick: Infinite loop vulnerability when parsing a PCD file2026-02-24
CVEList
ImageMagick: Infinite loop vulnerability when parsing a PCD file2026-02-24
OSV
ImageMagick: Infinite loop vulnerability when parsing a PCD file2026-02-24

📋Vendor Advisories

2
Red Hat
ImageMagick: ImageMagick: Denial of Service via malformed PCD file processing2026-02-24
Debian
CVE-2026-24485: imagemagick - ImageMagick is free and open-source software used for editing and manipulating d...2026

🕵️Threat Intelligence

1
Wiz
CVE-2026-24485 Impact, Exploitability, and Mitigation Steps | Wiz