CVE-2026-24485
Published: 24 February 2026
Summary
CVE-2026-24485 is a high-severity Uncontrolled Resource Consumption (CWE-400) vulnerability in Imagemagick Imagemagick. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 5.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-24485 is a denial-of-service vulnerability in ImageMagick, an open-source software suite for image editing and manipulation. It affects versions prior to 7.1.2-15 and 6.9.13-40. The issue arises when processing a Photo CD (PCD) file lacking a valid Sync marker, causing the DecodeImage() function to enter an infinite loop while searching for the marker. This results in continuous CPU consumption, system resource exhaustion, and program unresponsiveness, classified under CWE-400 (Uncontrolled Resource Consumption) with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
Any unauthenticated remote attacker can exploit this vulnerability by supplying a specially crafted PCD file to an ImageMagick instance, such as through a web application or service that processes user-uploaded images. No user interaction or privileges are required, enabling exploitation over the network with low complexity. Successful exploitation leads to high-impact denial of service, potentially crashing the affected process or exhausting CPU resources on the target system.
Patches addressing this vulnerability are available in ImageMagick versions 7.1.2-15 and 6.9.13-40, as detailed in the project's GitHub security advisory (GHSA-pqgj-2p96-rx85) and the fixing commit (332c1566acc2de77857032d3c2504ead6210ff50). Additionally, the Magick.NET library, a .NET binding for ImageMagick, released version 14.10.3 with mitigations. Security practitioners should update to patched versions and validate image inputs where possible to prevent exploitation.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-7456
Vulnerability details
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, when a PCD file does not contain a valid Sync marker, the DecodeImage() function becomes trapped in an infinite loop while…
more
searching for the Sync marker, causing the program to become unresponsive and continuously consume CPU resources, ultimately leading to system resource exhaustion and denial of service. Versions 7.1.2-15 and 6.9.13-40 contain a patch.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables remote exploitation of a public-facing image processing application (T1190) via crafted input leading to application resource exhaustion (T1499.003).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Timely patching of ImageMagick to versions 7.1.2-15 or 6.9.13-40 directly remediates the infinite loop flaw in DecodeImage() triggered by malformed PCD files.
Denial-of-service protections identify and defend against resource exhaustion attacks like the CPU consumption from processing crafted PCD files lacking valid Sync markers.
Validating image inputs from external sources prevents malformed PCD files from reaching the vulnerable DecodeImage() function and triggering the infinite loop.