ImageMagick MIFF Decoder Infinite Loop Enables CPU Exhaustion DoS
What Happened – A newly disclosed vulnerability (CVE‑2026‑46522) in ImageMagick’s MIFF decoder allows an attacker to craft a malicious image that triggers an infinite decompression loop, consuming 100 % CPU until the process is killed. The issue is reproducible on ImageMagick 7.x (verified on 7.1.2‑3).
Why It Matters for TPRM –
- Image processing pipelines are common in SaaS, cloud‑hosted services, and content‑delivery platforms; a single malicious file can degrade or halt operations.
- The vulnerability is exploitable via file upload, a typical attack surface for third‑party integrations.
- Remediation requires library updates or mitigations that may impact service‑level agreements with vendors.
Who Is Affected – Technology‑SaaS providers, cloud‑hosting platforms, digital media services, and any organization that incorporates ImageMagick for image manipulation (e.g., e‑commerce, advertising, publishing).
Recommended Actions –
- Verify whether any third‑party services or internal applications use ImageMagick 7.x.
- Prioritize patching to the latest ImageMagick release that addresses CVE‑2026‑46522.
- Implement file‑type validation and processing timeouts for image uploads.
- Review vendor contracts for clauses covering timely security updates.
Technical Notes – The MIFF decoder fails to reject a zero‑length BZip2 block, causing BZ2_bzDecompress to return BZ_OK indefinitely. The loop only exits on BZ_STREAM_END or error codes not returned, leading to a CPU‑bound denial‑of‑service. No remote code execution is disclosed. Source: Exploit‑DB 52595