Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-55595

CVE-2026-55595: ImageMagick DOS Vulnerability

CVE-2026-55595 is a denial of service vulnerability in ImageMagick that triggers an infinite loop when invalid arguments are passed to connected-components. This article covers technical details, affected versions, and patches.

Published:

CVE-2026-55595 Overview

CVE-2026-55595 is a denial-of-service vulnerability in ImageMagick, the widely deployed open-source image editing and manipulation library. The flaw occurs when invalid arguments are supplied to the connected-components option, causing the process to enter an infinite loop. Affected releases include ImageMagick versions prior to 6.9.13-51 and 7.1.2-26. The issue is classified under CWE-400: Uncontrolled Resource Consumption. Exploitation requires local access and user interaction, and impacts availability without exposing confidentiality or integrity.

Critical Impact

A local attacker supplying crafted arguments to the connected-components option can hang the ImageMagick process indefinitely, exhausting CPU resources and denying service to image processing workloads.

Affected Products

  • ImageMagick versions prior to 6.9.13-51
  • ImageMagick versions prior to 7.1.2-26
  • Applications and services that pass untrusted parameters to ImageMagick's connected-components option

Discovery Timeline

  • 2026-07-01 - CVE-2026-55595 published to NVD
  • 2026-07-02 - Last updated in NVD database

Technical Details for CVE-2026-55595

Vulnerability Analysis

ImageMagick's connected-components option performs connected-component labeling on an input image, grouping adjacent pixels that share connectivity criteria. When the option receives invalid arguments, the parsing or processing routine fails to reach a terminating condition. The result is an infinite loop that consumes CPU cycles until the process is externally terminated.

The vulnerability falls under CWE-400: Uncontrolled Resource Consumption. Unlike memory corruption bugs, this flaw does not permit code execution or data disclosure. The impact is limited to availability. Services that batch-process user-supplied images or expose ImageMagick via wrappers such as convert, magick, or bindings like PerlMagick and PythonMagick inherit the risk if arguments are not strictly validated.

Root Cause

The defect resides in the argument handling logic for the connected-components option. The routine does not adequately validate input before entering its main processing loop, and it fails to exit cleanly when invalid parameter values are supplied. Refer to the GitHub Security Advisory GHSA-qhmf-7fc4-8q3h for maintainer-provided technical detail.

Attack Vector

Exploitation requires local access and user interaction, typically in the form of a user or automated pipeline invoking ImageMagick with attacker-influenced arguments. A malicious operator or a compromised upstream component supplies an invalid connected-components argument. The process then loops indefinitely, holding CPU and preventing legitimate image processing tasks from completing. In shared or containerized environments, the resulting resource pressure can affect co-tenant workloads.

No verified public proof-of-concept code is available at the time of publication. See the vendor advisory for reproduction guidance.

Detection Methods for CVE-2026-55595

Indicators of Compromise

  • ImageMagick processes (magick, convert, identify) sustaining near-100% CPU utilization on a single core for extended periods
  • Image processing jobs that never complete or repeatedly hit worker timeouts
  • Command-line invocations containing -connected-components with malformed or non-numeric arguments

Detection Strategies

  • Enumerate installed ImageMagick versions across build systems, servers, and container images, and flag any release older than 6.9.13-51 or 7.1.2-26.
  • Instrument application logs to capture the full argument list passed to ImageMagick binaries so anomalous connected-components invocations can be reviewed.
  • Configure process supervisors to record and alert on ImageMagick child processes exceeding an expected CPU-time threshold.

Monitoring Recommendations

  • Track per-process CPU seconds for ImageMagick binaries and alert when values exceed baseline for a given workload.
  • Monitor worker queue backlogs in services that hand off image processing tasks, as an infinite loop will surface first as growing queue depth.
  • Review container orchestration events for repeated OOM kills or CPU throttling on image processing pods.

How to Mitigate CVE-2026-55595

Immediate Actions Required

  • Upgrade ImageMagick to version 6.9.13-51 or 7.1.2-26 or later across all hosts, containers, and build pipelines.
  • Audit application code paths that forward user-supplied values into ImageMagick command-line arguments and reject any input reaching the connected-components option.
  • Enforce CPU-time and wall-clock limits on ImageMagick invocations using ulimit, timeout, or container resource constraints.

Patch Information

The ImageMagick maintainers fixed this issue in versions 6.9.13-51 and 7.1.2-26. See the GitHub Security Advisory GHSA-qhmf-7fc4-8q3h for the authoritative release notes and commit references. Package maintainers for major Linux distributions typically backport these fixes; verify the effective source version rather than relying on the distribution package number alone.

Workarounds

  • Wrap ImageMagick calls with the timeout utility to bound execution time, for example timeout 30 magick input.png -connected-components 4 output.png.
  • Validate and whitelist argument values before passing them to ImageMagick, rejecting anything that is not a permitted integer connectivity value (4 or 8).
  • Restrict use of the connected-components option in ImageMagick's policy.xml where the workload does not require it.
bash
# Example policy.xml entry to disable the connected-components option
<policymap>
  <policy domain="coder" rights="none" pattern="connected-components" />
</policymap>

# Example invocation with a hard CPU-time limit
timeout --signal=KILL 30s magick input.png -connected-components 4 output.png

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.