Severity by source
AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H
AV:L because exploitation requires local command invocation; AC:H reflects the specific invalid-argument trigger condition; UI:R as user or process must actively invoke ImageMagick; availability-only impact from the infinite loop.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H
Lifecycle Timeline
2DescriptionCVE.org
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-51 and 7.1.2-26, when providing invalid arguments to the connected-components option an infinite loop will occur. This issue has been fixed in versions 6.9.13-51 and 7.1.2-26.
AnalysisAI
Uncontrolled resource consumption in ImageMagick (all versions prior to 6.9.13-51 and 7.1.2-26) allows a denial-of-service condition by supplying invalid arguments to the connected-components processing option, which causes an infinite loop that exhausts CPU resources indefinitely. The vulnerability requires local access, user interaction, and high attack complexity, confining realistic risk to environments where untrusted input can influence ImageMagick invocations - such as automated image-processing pipelines or web applications that expose connected-components functionality. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the target system invokes ImageMagick with the -connected-components option supplied with invalid argument values; systems that do not use this specific feature are entirely unexposed. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H yields a Medium score of 4.7, reflecting a local attack vector with high complexity and required user interaction - conditions that substantially constrain the realistic threat surface. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who can influence the arguments passed to an ImageMagick invocation - for example, through a web application that accepts user-defined image processing parameters - crafts an input that supplies invalid values to the -connected-components option. When the application processes the request, ImageMagick enters an infinite loop consuming 100% of the worker CPU, causing the image-processing worker to hang and degrading or denying service to other users of the same pipeline. … |
| Remediation | Upgrade ImageMagick to version 6.9.13-51 or later on the 6.x branch, or to version 7.1.2-26 or later on the 7.x branch; these are the vendor-confirmed fixed releases per GitHub Security Advisory GHSA-qhmf-7fc4-8q3h at https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-qhmf-7fc4-8q3h. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Imagemagick
View allReadGIFImage in coders/gif.c in ImageMagick 7.0.6-1 and GraphicsMagick 1.3.26 leaves the palette uninitialized when proc
Integer overflow in MagickCore/profile.c in ImageMagick before 7.0.2-1 allows remote attackers to cause a denial of serv
The LABEL coder in ImageMagick before 6.9.3-10 and 7.x before 7.0.1-1 allows remote attackers to read arbitrary files vi
The OpenBlob function in blob.c in GraphicsMagick before 1.3.24 and ImageMagick allows remote attackers to execute arbit
The DCM reader in ImageMagick before 6.9.4-5 and 7.x before 7.0.1-7 allows remote attackers to have unspecified impact b
The ReadDCMImage function in DCM reader in ImageMagick before 6.9.4-5 and 7.x before 7.0.1-7 allows remote attackers to
The DCM reader in ImageMagick before 6.9.4-5 and 7.x before 7.0.1-7 allows remote attackers to have unspecified impact b
ImageMagick 7.0.6-5 has a memory leak vulnerability in ReadWEBPImage in coders/webp.c because memory is not freed in cer
Heap buffer overflow in ImageMagick's XBM image decoder (ReadXBMImage) lets remote attackers write attacker-controlled d
A vulnerability was found in ImageMagick. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable
In ImageMagick 7.0.9-7 Q16, there is a use-after-free in the function MngInfoDiscardObject of coders/png.c, related to R
The ReadMATImageV4 function in coders/mat.c in ImageMagick 7.0.8-7 uses an uninitialized variable, leading to memory cor
Same weakness CWE-400 – Uncontrolled Resource Consumption
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41123