CVE-2026-24485— ImageMagick: Infinite loop vulnerability when parsing a PCD file
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-24485
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
ImageMagick: Infinite loop vulnerability when parsing a PCD file
Source: NVD (National Vulnerability Database)
Vulnerability Description
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, when a PCD file does not contain a valid Sync marker, the DecodeImage() function becomes trapped in an infinite loop while searching for the Sync marker, causing the program to become unresponsive and continuously consume CPU resources, ultimately leading to system resource exhaustion and denial of service. Versions 7.1.2-15 and 6.9.13-40 contain a patch.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
未加控制的资源消耗(资源穷尽)
Source: NVD (National Vulnerability Database)
Vulnerability Title
ImageMagick 资源管理错误漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
ImageMagick是ImageMagick开源的一套开源的图像处理软件。可读取、转换或写入多种格式的图片。 ImageMagick 7.1.2-15之前版本和6.9.13-40之前版本存在资源管理错误漏洞,该漏洞源于处理无效Sync标记的PCD文件时,DecodeImage函数陷入无限循环,可能导致拒绝服务。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| ImageMagick | ImageMagick | >= 7.0.0, < 7.1.2-15 | - |
II. Public POCs for CVE-2026-24485
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-24485
请登录查看更多情报信息。
- Release Magick.NET 14.10.3 · dlemstra/Magick.NET · GitHubx_refsource_MISC
- https://nvd.nist.gov/vuln/detail/CVE-2026-24485
Same Patch Batch · ImageMagick · 2026-02-24 · 32 CVEs total
| CVE-2026-25965 | 8.6 HIGH | ImageMagick's policy bypass through path traversal allows reading restricted content despi |
| CVE-2026-25794 | 8.2 HIGH | ImageMagick has heap-buffer-overflow via signed integer overflow in `WriteUHDRImage` when |
| CVE-2026-24481 | 7.5 HIGH | ImageMagick has Possible Heap Information Disclosure in PSD ZIP Decompression |
| CVE-2026-25989 | 7.5 HIGH | ImageMagick has integer overflow or wraparound and incorrect conversion between numeric ty |
| CVE-2026-25985 | 7.5 HIGH | Memory allocation with excessive without limits in the internal SVG decoder |
| CVE-2026-25967 | 7.4 HIGH | ImageMagick has stack buffer overflow in FTXT reader via oversized integer field |
| CVE-2026-25968 | 7.4 HIGH | ImageMagick has MSL attribute stack buffer overflow that leads to out of bounds write. |
| CVE-2026-26284 | 6.5 MEDIUM | ImageMagick has heap overflow in pcd decoder that leads to out of bounds read. |
| CVE-2026-25897 | 6.5 MEDIUM | ImageMagick has heap overflow in sun decoder on 32-bit systems that can result in out of b |
| CVE-2026-25898 | 6.5 MEDIUM | Imagemagick Has Global Buffer Overflow (OOB Read) via Negative Pixel Index in UIL and XPM |
| CVE-2026-25982 | 6.5 MEDIUM | ImageMagick Has Heap Out-of-Bounds Read in DCM Decoder (ReadDCMImage) |
| CVE-2026-26066 | 6.2 MEDIUM | ImageMagick has infinite loop when writing IPTCTEXT leads to denial of service via crafted |
| CVE-2026-26283 | 6.2 MEDIUM | ImageMagick has possible infinite loop in JPEG encoder when using `jpeg:extent` |
| CVE-2026-25971 | 6.2 MEDIUM | ImageMagick's MSL: Stack overflow in ProcessMSLScript |
| CVE-2026-25966 | 5.9 MEDIUM | ImageMagick's Security Policy Bypass through config/policy-secure.xml via "fd handler" lea |
| CVE-2026-25797 | 5.7 MEDIUM | ImageMagick vulnerable to Code injection via PostScript header in ps coders |
| CVE-2026-25637 | 5.3 MEDIUM | ImageMagick: Possible memory leak in ASHLAR encoder |
| CVE-2026-26983 | 5.3 MEDIUM | ImageMagick: Invalid MSL <map> can result in a use after free |
| CVE-2026-24484 | 5.3 MEDIUM | ImageMagick: Converting multi-layer nested MVG to SVG can cause DoS |
| CVE-2026-25986 | 5.3 MEDIUM | ImageMagick has a heap buffer overflow in YUV 4:2:2 decoder |
Showing top 20 of 32 CVEs. View all on vendor page → →
IV. Related Vulnerabilities
Same product: ImageMagick
- CVE-2026-40312
ImageMagick: Off-by-One in MSL decoder could result in crash - CVE-2026-40311
ImageMagick: Heap-use-after-free via XMP profile could resul - CVE-2026-40310
ImageMagick: Heap out-of-bounds write in JP2 encoder - CVE-2026-40183
ImageMagick: Heap buffer overflow when encoding JXL image wi - CVE-2026-40169
ImageMagick: Heap buffer overflow (WRITE) in the YAML and JS
Same vendor: ImageMagick
- CVE-2026-40312
ImageMagick: Off-by-One in MSL decoder could result in crash - CVE-2026-40311
ImageMagick: Heap-use-after-free via XMP profile could resul - CVE-2026-40310
ImageMagick: Heap out-of-bounds write in JP2 encoder - CVE-2026-40183
ImageMagick: Heap buffer overflow when encoding JXL image wi - CVE-2026-40169
ImageMagick: Heap buffer overflow (WRITE) in the YAML and JS
Same weakness: CWE-400
- CVE-2026-8187
Open5GS UPF gtp-path.c _gtpv1_u_recv_cb resource consumption - CVE-2026-42343
FastGPT: Uncontrolled Resource Consumption leading to Sandbo - CVE-2026-42212
SolidCAM-GPPL-IDE: XML External Entity (XXE) and billion-lau - CVE-2026-32686
Unbounded exponent in decimal enables unauthenticated DoS - CVE-2026-20188
Cisco Crosswork Network Controller and Cisco Network Service
V. Comments for CVE-2026-24485
No comments yet