Skip to main content

ImageMagick CVE-2026-46522

HIGH
Uncontrolled Resource Consumption (CWE-400)
2026-05-18 https://github.com/ImageMagick/ImageMagick GHSA-7gg8-qqx7-92g5
7.5
CVSS 3.1 · Vendor: https://github.com/ImageMagick/ImageMagick
Share

Severity by source

Vendor (https://github.com/ImageMagick/ImageMagick) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
SUSE
5.5 MEDIUM
AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Red Hat
7.5 HIGH
qualitative

Primary rating from Vendor (https://github.com/ImageMagick/ImageMagick).

CVSS VectorVendor: https://github.com/ImageMagick/ImageMagick

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

2
Source Code Evidence Fetched
May 18, 2026 - 21:30 vuln.today
Analysis Generated
May 18, 2026 - 21:30 vuln.today

DescriptionCVE.org

Due to a missing check in the MIFF decoder a crafted file could cause an infinite loop resulting in CPU exhaustion.

AnalysisAI

Denial of service in ImageMagick's MIFF (Magick Image File Format) decoder allows remote unauthenticated attackers to trigger an infinite loop and exhaust CPU resources by submitting a crafted MIFF file. The flaw affects Magick.NET bindings prior to version 14.13.1 across multiple platform builds (Q16, HDRI, OpenMP variants for x64/arm64/x86) and is tracked under GHSA-7gg8-qqx7-92g5. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.

Technical ContextAI

ImageMagick is a widely-deployed image processing library used to read, write, and manipulate images in over 100 formats. The MIFF format is ImageMagick's native uncompressed image container, parsed by the MIFF decoder in coders/miff.c. This vulnerability maps to CWE-400 (Uncontrolled Resource Consumption): the decoder lacks a sanity check on a loop terminator or counter when parsing a malformed MIFF stream, causing the parser to spin indefinitely. Because Magick.NET wraps the native ImageMagick library for .NET applications, all Q16 / Q16-HDRI / OpenMP NuGet builds inherit the underlying decoder defect.

RemediationAI

Vendor-released patch: upgrade Magick.NET to version 14.13.1 or later, which contains the missing-check fix in the MIFF decoder; the GitHub Security Advisory at https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-7gg8-qqx7-92g5 is the authoritative reference. Where immediate upgrade is not feasible, compensating controls include disabling the MIFF coder via an ImageMagick policy.xml entry (<policy domain="coder" rights="none" pattern="MIFF" />), which prevents decoding at the cost of breaking any legitimate MIFF workflow, and enforcing strict per-request CPU/time limits using MagickResourceLimits.Time or OS-level cgroup/ulimit constraints so a runaway decode is killed (trade-off: legitimate large images may also be terminated). Validating uploaded image MIME types and magic bytes server-side reduces but does not eliminate exposure, since MIFF detection is content-based.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise High Performance Computing 15 SP7 Affected
SUSE Linux Enterprise Module for Desktop Applications 15 SP7 Affected
SUSE Linux Enterprise Module for Development Tools 15 SP7 Affected
SUSE Linux Enterprise Module for Package Hub 15 SP7 Not-Affected

Share

CVE-2026-46522 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy