CVE-2026-26283
Published: 24 February 2026
Summary
CVE-2026-26283 is a medium-severity Infinite Loop (CWE-835) vulnerability in Imagemagick Imagemagick. Its CVSS base score is 6.2 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 5.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Infinite loop in ImageMagick JPEG encoder enables local application exploitation resulting in CPU exhaustion and process hang (Endpoint DoS via software vulnerability).
NVD Description
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, a `continue` statement in the JPEG extent binary search loop in the jpeg encoder causes an infinite loop when writing persistently…
more
fails. An attacker can trigger a 100% CPU consumption and process hang (Denial of Service) with a crafted image. Versions 7.1.2-15 and 6.9.13-40 contain a patch.
Deeper analysisAI
CVE-2026-26283 is a denial-of-service vulnerability in ImageMagick, a free and open-source software suite for editing and manipulating digital images. The issue stems from a `continue` statement in the JPEG extent binary search loop within the JPEG encoder, which triggers an infinite loop when image writing persistently fails. This affects ImageMagick versions prior to 7.1.2-15 (for the 7.x series) and 6.9.13-40 (for the 6.x series), earning a CVSS v3.1 base score of 6.2 (AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and mapping to CWE-835 (Infinite Loop).
A local attacker with no privileges required can exploit this vulnerability by supplying a specially crafted image to an affected ImageMagick instance. The low attack complexity and lack of user interaction mean that processing the malicious image leads to 100% CPU consumption and a process hang, resulting in a denial of service on the targeted system or application.
The ImageMagick GitHub security advisory (GHSA-gwr3-x37h-h84v) confirms that versions 7.1.2-15 and 6.9.13-40 include patches to address the infinite loop. Security practitioners should update to these fixed versions and validate image inputs in applications using ImageMagick for processing, especially in local or automated workflows.
Details
- CWE(s)