CVE-2026-26066 – ImageMagick versions before 7.1.2-15 and 6.9.13... (How to Fix)

Q: What is the severity of CVE-2026-26066?

CVE-2026-26066 has a CVSS score of 6.2 (MEDIUM). ImageMagick versions before 7.1.2-15 and 6.9.13-40 contain a vulnerability where specially crafted IPTC profile data can trigger an infinite loop when processed with the IPTCTEXT function. This affects any system or application using vulnerable ImageMagick versions to process images, potentially causing denial of service. The vulnerability is in the image processing library itself, so any software using ImageMagick could be impacted.

📋 TL;DR

ImageMagick versions before 7.1.2-15 and 6.9.13-40 contain a vulnerability where specially crafted IPTC profile data can trigger an infinite loop when processed with the IPTCTEXT function. This affects any system or application using vulnerable ImageMagick versions to process images, potentially causing denial of service. The vulnerability is in the image processing library itself, so any software using ImageMagick could be impacted.

💻 Affected Systems

Products:

ImageMagick

Versions: All versions before 7.1.2-15 and 6.9.13-40

Operating Systems: All operating systems running ImageMagick

Default Config Vulnerable: ⚠️ Yes

Notes: Any application or service using ImageMagick to process images with IPTC metadata is vulnerable. This includes web applications, content management systems, and image processing pipelines.

📦 What is this software?

Imagemagick by Imagemagick

View all CVEs affecting Imagemagick →

Imagemagick by Imagemagick

View all CVEs affecting Imagemagick →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete denial of service through resource exhaustion - an attacker could cause ImageMagick processes to hang indefinitely, consuming CPU and memory until manual intervention.

🟠

Likely Case

Service disruption where image processing operations fail or become unresponsive, affecting applications that rely on ImageMagick for image manipulation.

🟢

If Mitigated

Minimal impact with proper input validation and resource limits in place, though some processing delays may still occur.

🌐 Internet-Facing: MEDIUM - Applications accepting user-uploaded images could be targeted, but requires specific IPTC data manipulation.

🏢 Internal Only: LOW - Requires crafted image files to be processed, less likely in controlled internal environments.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires creating or modifying an image with malicious IPTC data, which requires some technical knowledge of IPTC format. No public exploit code has been identified.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 7.1.2-15 and 6.9.13-40

Vendor Advisory: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-v994-63cg-9wj3

Restart Required: Yes

Instructions:

1. Identify current ImageMagick version using 'convert --version' or 'magick --version'
2. For systems using package managers: Update via 'apt-get update && apt-get upgrade imagemagick' (Debian/Ubuntu) or 'yum update imagemagick' (RHEL/CentOS)
3. For source installations: Download latest version from ImageMagick.org and recompile
4. Restart any services or applications using ImageMagick

🔧 Temporary Workarounds

Disable IPTC profile processing

all

Configure ImageMagick to ignore or strip IPTC metadata during image processing

convert input.jpg -strip output.jpg
magick input.jpg -strip output.jpg

Implement resource limits

linux

Set CPU and memory limits on ImageMagick processes to prevent complete resource exhaustion

ulimit -t 30 (limits CPU time to 30 seconds)
ulimit -v 1000000 (limits virtual memory to 1GB)

🧯 If You Can't Patch

Implement strict input validation to reject or sanitize images with IPTC metadata before processing
Deploy ImageMagick in containerized environments with strict resource limits and automatic restart policies

🔍 How to Verify

Check if Vulnerable:

Check ImageMagick version: 'convert --version' or 'magick --version' and compare against vulnerable versions (before 7.1.2-15 or 6.9.13-40)

Check Version:

convert --version 2>/dev/null || magick --version 2>/dev/null || echo 'ImageMagick not found'

Verify Fix Applied:

After updating, verify version shows 7.1.2-15 or higher, or 6.9.13-40 or higher. Test with known safe images containing IPTC data.

📡 Detection & Monitoring

Log Indicators:

ImageMagick processes consuming 100% CPU for extended periods
Image processing timeouts or failures in application logs
High memory usage by ImageMagick processes

Network Indicators:

Increased failed image uploads or processing requests
Unusual patterns of image file uploads to web applications

SIEM Query:

process_name:"convert" OR process_name:"magick" AND (cpu_usage:>90 AND duration:>60s)

📊 Metadata

CVE ID: CVE-2026-26066

CVSS v3 Score: 6.2 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-400

Published: February 24, 2026

Last Updated: February 24, 2026

🔗 References

https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-v994-63cg-9wj3 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-26066, you might also want to check these: