ImageMagick: Infinite loop vulnerability when parsing a PCD file
Description
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, when a PCD file does not contain a valid Sync marker, the DecodeImage() function becomes trapped in an infinite loop while searching for the Sync marker, causing the program to become unresponsive and continuously consume CPU resources, ultimately leading to system resource exhaustion and denial of service. Versions 7.1.2-15 and 6.9.13-40 contain a patch.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
ImageMagick infinite loop in DecodeImage() when a PCD file lacks a valid Sync marker leads to denial of service via CPU exhaustion.
Vulnerability
Details CVE-2026-24485 describes an infinite loop vulnerability in ImageMagick's handling of Photo CD (PCD) files. The flaw exists in the DecodeImage() function, which enters an unbounded search for a Sync marker when the PCD file does not contain a valid one. This causes the program to become unresponsive and continuously consume CPU resources, leading to system resource exhaustion.[1]
Exploitation
An attacker can exploit this vulnerability by crafting a specially malformed PCD file that omits the required Sync marker. No authentication or special privileges are required; processing the file via any ImageMagick utility or integration (e.g., a web application that accepts image uploads) is sufficient to trigger the infinite loop. The PCDGetBits() macro, which reads chunks of data from the blob, lacked proper validation of the return value from ReadBlob(), causing it to spin indefinitely when fewer bytes than expected were read.[4]
Impact
Successful exploitation results in a denial of service (DoS), making the affected system unresponsive and exhausting CPU resources. This can impact server availability in environments where ImageMagick processes untrusted image files, such as image hosting services or content management systems.[1][2]
Mitigation
The vulnerability is patched in ImageMagick versions 7.1.2-15 and 6.9.13-40. The fix, committed in commit 332c1566acc2de77857032d3c2504ead6210ff50, adds a check that breaks out of the read loop when ReadBlob() returns fewer bytes than requested.[4] Users should update to the patched versions and ensure that untrusted image files are processed under a restrictive security policy.[2]
- NVD - CVE-2026-24485
- GitHub - ImageMagick/ImageMagick: ImageMagick is a free, open-source software suite for creating, editing, converting, and displaying images. It supports 200+ formats and offers powerful command-line tools and APIs for automation, scripting, and integration across platforms.
- https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-p… · ImageMagick/ImageMagick@332c156
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
Magick.NET-Q16-AnyCPUNuGet | < 14.10.3 | 14.10.3 |
Magick.NET-Q16-HDRI-AnyCPUNuGet | < 14.10.3 | 14.10.3 |
Magick.NET-Q16-HDRI-OpenMP-arm64NuGet | < 14.10.3 | 14.10.3 |
Magick.NET-Q16-HDRI-OpenMP-x64NuGet | < 14.10.3 | 14.10.3 |
Magick.NET-Q16-HDRI-arm64NuGet | < 14.10.3 | 14.10.3 |
Magick.NET-Q16-HDRI-x64NuGet | < 14.10.3 | 14.10.3 |
Magick.NET-Q16-HDRI-x86NuGet | < 14.10.3 | 14.10.3 |
Magick.NET-Q16-OpenMP-arm64NuGet | < 14.10.3 | 14.10.3 |
Magick.NET-Q16-OpenMP-x64NuGet | < 14.10.3 | 14.10.3 |
Magick.NET-Q16-OpenMP-x86NuGet | < 14.10.3 | 14.10.3 |
Magick.NET-Q16-arm64NuGet | < 14.10.3 | 14.10.3 |
Magick.NET-Q16-x64NuGet | < 14.10.3 | 14.10.3 |
Magick.NET-Q16-x86NuGet | < 14.10.3 | 14.10.3 |
Magick.NET-Q8-AnyCPUNuGet | < 14.10.3 | 14.10.3 |
Magick.NET-Q8-OpenMP-arm64NuGet | < 14.10.3 | 14.10.3 |
Magick.NET-Q8-OpenMP-x64NuGet | < 14.10.3 | 14.10.3 |
Magick.NET-Q8-arm64NuGet | < 14.10.3 | 14.10.3 |
Magick.NET-Q8-x64NuGet | < 14.10.3 | 14.10.3 |
Magick.NET-Q8-x86NuGet | < 14.10.3 | 14.10.3 |
Affected products
2<6.9.13-40 or <7.1.2-15+ 1 more
- (no CPE)range: <6.9.13-40 or <7.1.2-15
- (no CPE)range: >= 7.0.0, < 7.1.2-15
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-pqgj-2p96-rx85ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-24485ghsaADVISORY
- github.com/ImageMagick/ImageMagick/commit/332c1566acc2de77857032d3c2504ead6210ff50ghsax_refsource_MISCWEB
- github.com/ImageMagick/ImageMagick/security/advisories/GHSA-pqgj-2p96-rx85ghsax_refsource_CONFIRMWEB
- github.com/dlemstra/Magick.NET/releases/tag/14.10.3ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.