CVE-2026-24485

Name: CVE-2026-24485
Creator: NVD / NIST
Published: 2026-02-24T01:16:12.757+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

HIGHCVSS 7.5/10EPSS 0.45%

Last modified Jun 17, 2026

CVE-2026-24485 is a high-severity vulnerability rated 7.5/10 on the CVSS scale. ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, when a PCD file does not contain a valid Sync marker, the DecodeImage() function becomes trapped in an infinite loop while searching for the Sync marker, causing the program to become unresponsive and continuously consume CPU resources, ultimately leading to system resource exhaustion and denial of service. EPSS estimates a 0.45% chance of exploitation in the next 30 days.

Description

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, when a PCD file does not contain a valid Sync marker, the DecodeImage() function becomes trapped in an infinite loop while searching for the Sync marker, causing the program to become unresponsive and continuously consume CPU resources, ultimately leading to system resource exhaustion and denial of service. Versions 7.1.2-15 and 6.9.13-40 contain a patch.

Metrics

CVSS 3.1

7.5/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Probability

0.45%

35.9th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-400

Affected Software

Vendor	Product	Versions
Imagemagick	Imagemagick	< 6.9.13-40
Imagemagick	Imagemagick	>= 7.0.0-0, < 7.1.2-15
Dlemstra	Magick.Net	< 14.10.3

References

https://github.com/ImageMagick/ImageMagick/commit/332c1566acc2de77857032d3c2504ead6210ff50Patch
https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-pqgj-2p96-rx85Vendor Advisory
https://github.com/dlemstra/Magick.NET/releases/tag/14.10.3Product, Release Notes

Timeline

Published: Feb 24, 2026
Last Modified: Jun 17, 2026
Status: Analyzed

Frequently Asked Questions

What is CVE-2026-24485?

How severe is CVE-2026-24485?

CVE-2026-24485 has a CVSS score of 7.5/10 (HIGH severity). The EPSS model estimates a 0.45% probability of exploitation in the next 30 days.

How do I fix CVE-2026-24485?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2026-24485?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST