CVE-2026-45664 Overview
CVE-2026-45664 is a resource exhaustion vulnerability in ImageMagick, the widely deployed open-source image manipulation library. The flaw resides in the Multiple-image Network Graphics (MNG) coder, which fails to enforce the configured list limit policy when reading image frames. A remote attacker can supply a crafted MNG file that causes ImageMagick to read more images than policy permits, consuming excessive CPU and memory. The issue is classified under [CWE-400: Uncontrolled Resource Consumption]. ImageMagick versions prior to 6.9.13-47 and 7.1.2-22 are affected.
Critical Impact
A crafted MNG file processed by a vulnerable ImageMagick build bypasses the list limit policy, enabling denial-of-service through excessive resource consumption on servers that accept untrusted image input.
Affected Products
- ImageMagick 6.x prior to 6.9.13-47
- ImageMagick 7.x prior to 7.1.2-22
- Applications and web services that invoke ImageMagick to decode MNG images from untrusted sources
Discovery Timeline
- 2026-06-10 - CVE-2026-45664 published to the National Vulnerability Database
- 2026-06-10 - Last updated in NVD database
Technical Details for CVE-2026-45664
Vulnerability Analysis
ImageMagick exposes a policy system that lets administrators cap resource usage through directives such as the list-length limit, which restricts the number of images a coder may load from a single file. The MNG coder, responsible for decoding multi-frame Network Graphics containers, omits the policy check that other coders apply when iterating frames.
When the coder parses an MNG stream, it continues to allocate and decode image structures for every frame referenced in the container. An attacker who controls the MNG file can declare an arbitrarily large number of embedded frames. Each frame triggers additional decoding work and memory allocation, exhausting the host before the policy engine intervenes.
The vulnerability is reachable over the network whenever an application passes attacker-supplied bytes to ImageMagick with MNG decoding enabled. Common exposure surfaces include image upload endpoints, thumbnailing pipelines, content management systems, and document conversion services.
Root Cause
The root cause is a missing enforcement check inside the MNG coder. The coder reads frames in a loop without consulting the list-length policy limit that governs the number of images permitted per decode operation. Because the check is absent, the configured safety ceiling never applies, regardless of how strictly the operator has tuned policy.xml.
Attack Vector
Exploitation requires no authentication and no user interaction beyond submitting a file. An attacker uploads or otherwise delivers a malformed MNG file to a service that calls ImageMagick. During decoding, ImageMagick allocates resources for every declared frame, driving CPU and memory utilization until the process is killed or the host becomes unresponsive. Repeated requests amplify the effect into a sustained denial-of-service condition.
No verified public proof-of-concept code is available. Refer to the ImageMagick GitHub Security Advisory for upstream technical details.
Detection Methods for CVE-2026-45664
Indicators of Compromise
- Sudden spikes in CPU or memory consumption by ImageMagick processes (convert, magick, identify) without a corresponding workload increase.
- Out-of-memory kills or container restarts on hosts that process user-supplied images.
- Inbound HTTP requests carrying files with the .mng extension or video/x-mng content type to upload endpoints.
Detection Strategies
- Inventory installed ImageMagick binaries and compare versions against 6.9.13-47 and 7.1.2-22; flag any older builds.
- Inspect application logs for ImageMagick errors related to resource limits, aborted conversions, or unusually long decode times.
- Correlate web application logs with process telemetry to identify image uploads that immediately precede resource spikes.
Monitoring Recommendations
- Monitor per-process memory and CPU ceilings for image-processing workers and alert on threshold breaches.
- Track the frequency of MNG content submissions; this format is uncommon in production traffic and warrants scrutiny.
- Enable verbose logging in ImageMagick during incident response to capture the coder name and frame counts handled per request.
How to Mitigate CVE-2026-45664
Immediate Actions Required
- Upgrade ImageMagick to version 6.9.13-47, 7.1.2-22, or later on all systems that decode untrusted images.
- If patching is delayed, disable the MNG coder in policy.xml to remove the vulnerable code path.
- Restrict accepted upload formats at the application layer and reject MNG files outright when they are not required.
Patch Information
The ImageMagick maintainers fixed the missing check in versions 6.9.13-47 and 7.1.2-22. Distribution maintainers typically backport these patches; verify your package manager has the fixed build before considering the system remediated. The upstream fix is documented in the ImageMagick GitHub Security Advisory GHSA-g5mf-wqq5-vwg6.
Workarounds
- Add a <policy domain="coder" rights="none" pattern="MNG" /> entry to ImageMagick's policy.xml to block MNG processing.
- Enforce strict memory, map, disk, and time limits in policy.xml so runaway decoders are terminated before exhausting the host.
- Run image conversion in sandboxed workers with hard cgroup limits to contain the impact of any single malicious file.
# Configuration example: disable the MNG coder and tighten resource policy
# /etc/ImageMagick-7/policy.xml
<policymap>
<policy domain="coder" rights="none" pattern="MNG" />
<policy domain="resource" name="memory" value="256MiB"/>
<policy domain="resource" name="map" value="512MiB"/>
<policy domain="resource" name="disk" value="1GiB"/>
<policy domain="resource" name="time" value="30"/>
<policy domain="resource" name="list-length" value="32"/>
</policymap>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
