CVE-2026-26283
Published: 24 February 2026
Summary
CVE-2026-26283 is a medium-severity Infinite Loop (CWE-835) vulnerability in Imagemagick Imagemagick. Its CVSS base score is 6.2 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 5.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-26283 is a denial-of-service vulnerability in ImageMagick, a free and open-source software suite for editing and manipulating digital images. The issue stems from a `continue` statement in the JPEG extent binary search loop within the JPEG encoder, which triggers an infinite loop when image writing persistently fails. This affects ImageMagick versions prior to 7.1.2-15 (for the 7.x series) and 6.9.13-40 (for the 6.x series), earning a CVSS v3.1 base score of 6.2 (AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and mapping to CWE-835 (Infinite Loop).
A local attacker with no privileges required can exploit this vulnerability by supplying a specially crafted image to an affected ImageMagick instance. The low attack complexity and lack of user interaction mean that processing the malicious image leads to 100% CPU consumption and a process hang, resulting in a denial of service on the targeted system or application.
The ImageMagick GitHub security advisory (GHSA-gwr3-x37h-h84v) confirms that versions 7.1.2-15 and 6.9.13-40 include patches to address the infinite loop. Security practitioners should update to these fixed versions and validate image inputs in applications using ImageMagick for processing, especially in local or automated workflows.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-7414
Vulnerability details
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, a `continue` statement in the JPEG extent binary search loop in the jpeg encoder causes an infinite loop when writing persistently…
more
fails. An attacker can trigger a 100% CPU consumption and process hang (Denial of Service) with a crafted image. Versions 7.1.2-15 and 6.9.13-40 contain a patch.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Infinite loop in ImageMagick JPEG encoder enables local application exploitation resulting in CPU exhaustion and process hang (Endpoint DoS via software vulnerability).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely installation of the vendor patch that eliminates the continue-statement infinite loop in the JPEG encoder.
Requires validation of image inputs before processing, blocking the specially crafted JPEG that triggers persistent write failure and the loop.
Mandates protection against resource-exhaustion conditions that produce the 100 % CPU hang described in the CVE.