CVE-2026-46522

HIGH

ImageMagick - Infinite Loop in the MIFF decoder can lead to CPU exhaustion

Exploitation Summary

EIP tracks 1 public exploit for CVE-2026-46522. PoCs published by Jose Rivas.

AI-analyzed exploit summary This exploit demonstrates a CPU exhaustion vulnerability in ImageMagick's MIFF decoder by crafting a malformed BZip2-compressed MIFF file with a zero-length block, triggering an infinite loop in the decompressor. The PoC generates a minimal 224-byte file that causes 100% CPU usage until terminated.

Description

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2.23 and 6.9.13-48, due to a missing check in the MIFF decoder, a crafted file could cause an infinite loop resulting in CPU exhaustion. Versions 7.1.2.23 and 6.9.13-48 fix the issue.

Exploits (1)

exploitdb WORKING POC

by Jose Rivas · bashlocalmultiple

https://www.exploit-db.com/exploits/52595

View Code ZIP pw:eip

This exploit demonstrates a CPU exhaustion vulnerability in ImageMagick's MIFF decoder by crafting a malformed BZip2-compressed MIFF file with a zero-length block, triggering an infinite loop in the decompressor. The PoC generates a minimal 224-byte file that causes 100% CPU usage until terminated.

Classification

Working Poc 100%

Attack Type

Dos

Complexity

Trivial

Reliability

Reliable

Target: ImageMagick 7.x (verified on 7.1.2-3)

No auth needed

Prerequisites: ImageMagick installation with MIFF/BZip2 support

MITRE ATT&CK

T1499 - Endpoint Denial of Service

devstral-2 · analyzed May 30, 2026 Full analysis →

References (1)

Core 1

Core References

X_Refsource_Confirm x_refsource_confirm

https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-7gg8-qqx7-92g5

Scores

CVSS v3 7.5

EPSS 0.0106

EPSS Percentile 78.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-400 CWE-835

Status published

Products (21)

imagemagick/imagemagick < 6.9.13-48

ImageMagick/ImageMagick < 6.9.13-48

ImageMagick/ImageMagick < 7.1.2-23

nuget/Magick.NET-Q16-AnyCPU 0 - 14.13.1NuGet

nuget/Magick.NET-Q16-arm64 0 - 14.13.1NuGet

nuget/Magick.NET-Q16-HDRI-AnyCPU 0 - 14.13.1NuGet

nuget/Magick.NET-Q16-HDRI-arm64 0 - 14.13.1NuGet

nuget/Magick.NET-Q16-HDRI-OpenMP-arm64 0 - 14.13.1NuGet

nuget/Magick.NET-Q16-HDRI-OpenMP-x64 0 - 14.13.1NuGet

nuget/Magick.NET-Q16-HDRI-x64 0 - 14.13.1NuGet

... and 11 more

Published Jun 10, 2026

Tracked Since May 30, 2026