ImageMagick has possible infinite loop in JPEG encoder when using `jpeg:extent`

CVE-2026-26283 describes an infinite loop vulnerability in ImageMagick's JPEG extent binary search loop. The vulnerability resides in the jpeg encoder: when the continue statement is executed due to a persistent write failure, the loop never terminates, causing 100% CPU utilization and a process hang. This issue affects all versions prior to 7.1.2-15 and 6.9.13-40 [1][2].

An attacker can exploit this vulnerability by providing a specially crafted image file that triggers the write failure condition during JPEG encoding with the jpeg:extent option. The attack requires no authentication and can be delivered through any vector that causes ImageMagick to process the malicious image, such as a web application that uses ImageMagick for image conversion or resizing [3][4].

The impact is a denial of service (DoS) condition: the affected ImageMagick process hangs indefinitely, consuming 100% CPU and becoming unresponsive. This can lead to resource exhaustion on the host system, potentially affecting other services or users. No data integrity or confidentiality breach has been associated with this vulnerability [2][4].

ImageMagick has released patched versions 7.1.2-15 and 6.9.13-40 that fix the infinite loop by correcting the loop logic. Users are strongly advised to upgrade to these or later versions. If immediate upgrade is not possible, administrators can mitigate the risk by avoiding the use of the jpeg:extent option on untrusted images or by applying strict image-processing policies [1][2][4].