A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Six years. Gartner® Magic Quadrant™ Leader.Find Out Why
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • AI Data Pipelines
      Security Data Pipeline for AI SIEM and Data Optimization
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2026-46522

CVE-2026-46522: ImageMagick MIFF Decoder DoS Vulnerability

CVE-2026-46522 is a denial of service vulnerability in ImageMagick's MIFF decoder that causes infinite loops and CPU exhaustion. This article covers the technical details, affected versions, and mitigation strategies.

Published: June 11, 2026

CVE-2026-46522 Overview

CVE-2026-46522 is a denial-of-service vulnerability in ImageMagick, the open-source image processing library used across web applications, content management systems, and automated media pipelines. The flaw exists in the Magick Image File Format (MIFF) decoder, where a missing input check allows a crafted MIFF file to trigger an infinite loop. Processing the malicious file drives the CPU to full utilization and exhausts host resources. The vulnerability affects ImageMagick versions prior to 7.1.2.23 and 6.9.13-48. The issue is tracked under [CWE-400] Uncontrolled Resource Consumption.

Critical Impact

A remote attacker can submit a crafted MIFF image to any service that calls ImageMagick, causing sustained CPU exhaustion and denial of service without authentication or user interaction.

Affected Products

  • ImageMagick versions prior to 7.1.2.23
  • ImageMagick 6.x versions prior to 6.9.13-48
  • Applications and services that invoke ImageMagick to decode MIFF format inputs

Discovery Timeline

  • 2026-06-10 - CVE-2026-46522 published to NVD
  • 2026-06-10 - Last updated in NVD database

Technical Details for CVE-2026-46522

Vulnerability Analysis

The vulnerability resides in the MIFF decoder within ImageMagick. MIFF is ImageMagick's native lossless container format that stores pixel data along with metadata describing image geometry, colorspace, and compression. The decoder parses these headers and pixel streams sequentially during image load operations.

A crafted MIFF file omits or manipulates a field that the decoder relies on to advance its parsing loop. Because the decoder does not validate the condition that terminates the loop, processing never reaches an exit state. The loop continues consuming CPU cycles indefinitely, blocking the worker thread and preventing other image operations from completing.

This class of flaw is categorized as an algorithmic denial-of-service condition. It does not corrupt memory or disclose data, but it disables the affected process or container until the operation is killed externally.

Root Cause

The root cause is a missing termination check in the MIFF decoder's parsing logic. The decoder trusts attacker-controlled values when deciding whether to continue reading, and a hostile combination of those values produces a state that the loop cannot exit. ImageMagick maintainers added the missing validation in versions 7.1.2.23 and 6.9.13-48.

Attack Vector

Exploitation requires only that a target system decode an attacker-supplied MIFF file. Common exposure paths include image upload endpoints, thumbnail generators, document converters, and email attachment scanners that pass user content to ImageMagick. The attack vector is network-accessible, requires no privileges, and needs no user interaction. Each request consumes a worker process or thread, so repeated submissions can rapidly drain capacity across an entire fleet.

No synthetic exploit code is reproduced here. Refer to the GitHub Security Advisory GHSA-7gg8-qqx7-92g5 for vendor-published technical detail.

Detection Methods for CVE-2026-46522

Indicators of Compromise

  • ImageMagick worker processes (convert, magick, identify) consuming sustained 100% CPU on a single core for unusually long durations
  • Image processing requests that never return a response or exceed configured timeouts repeatedly
  • Inbound files with the MIFF signature (id=ImageMagick header bytes) from untrusted sources
  • Spikes in load average correlated with image upload or conversion endpoint traffic

Detection Strategies

  • Monitor process runtime and CPU consumption for ImageMagick binaries and alert when a single invocation exceeds a defined wall-clock threshold
  • Inspect uploaded files for the MIFF magic header and flag samples submitted by unauthenticated or low-reputation sources for sandboxed analysis
  • Track the version of installed libMagickCore and libMagickWand libraries across hosts to confirm patched builds are deployed

Monitoring Recommendations

  • Centralize ImageMagick stderr and resource-limit logs into a SIEM or data lake to correlate timeouts with source IP and request identifiers
  • Establish baselines for normal image conversion duration per format and alert on outliers, particularly for MIFF inputs
  • Track web application gateway metrics for request queue depth and worker saturation on endpoints that invoke image processing

How to Mitigate CVE-2026-46522

Immediate Actions Required

  • Upgrade ImageMagick to version 7.1.2.23 or 6.9.13-48 or later on all hosts that decode untrusted images
  • Inventory containers, serverless functions, and third-party appliances that embed ImageMagick and apply vendor updates as they ship
  • Enforce strict per-process CPU and wall-clock limits on ImageMagick invocations using policy.xml resource directives
  • Restrict the MIFF decoder in policy.xml if MIFF processing is not required by the application

Patch Information

ImageMagick maintainers fixed the missing decoder check in versions 7.1.2.23 (7.x branch) and 6.9.13-48 (6.x branch). Patch details and the full vendor advisory are available in the ImageMagick GitHub Security Advisory GHSA-7gg8-qqx7-92g5. Rebuild any application containers that bundle ImageMagick statically and redeploy after the upgrade.

Workarounds

  • Disable the MIFF coder in ImageMagick policy.xml when patching cannot be performed immediately
  • Apply <policy domain="resource" name="time" value="30"/> and similar CPU limits to terminate runaway decode operations
  • Validate file types at the application layer and reject MIFF uploads from untrusted sources until the patch is deployed
  • Run ImageMagick inside a sandbox or cgroup-constrained container with hard CPU quotas to contain resource exhaustion
bash
# Example policy.xml additions to constrain ImageMagick processing
# Place inside the <policymap> element
<policy domain="coder" rights="none" pattern="MIFF" />
<policy domain="resource" name="time" value="30" />
<policy domain="resource" name="memory" value="256MiB" />
<policy domain="resource" name="map" value="512MiB" />

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeDOS
  • Vendor/TechImagemagick
  • SeverityHIGH
  • CVSS Score7.5
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityNone
  • AvailabilityHigh
  • CWE References
  • CWE-400
  • Technical References
  • GitHub Security Advisory
  • Related CVEs
  • CVE-2026-53460: ImageMagick DOS Vulnerability
  • CVE-2026-49218: ImageMagick DCM Decoder DoS Vulnerability
  • CVE-2026-48733: ImageMagick DOS Vulnerability
  • CVE-2026-45664: ImageMagick MNG Coder DoS Vulnerability
Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English