Bug 2442091 (CVE-2026-24485)

Summary: CVE-2026-24485 ImageMagick: ImageMagick: Denial of Service via malformed PCD file processing
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in ImageMagick. A remote attacker could exploit this vulnerability by providing a specially crafted PCD (Picture CD) image file that lacks a valid Sync marker. This causes the DecodeImage() function to enter an infinite loop, leading to continuous CPU resource consumption and system resource exhaustion. The primary consequence is a denial of service (DoS), rendering the program unresponsive.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2442202, 2442203    
Bug Blocks:    

Description OSIDB Bzimport 2026-02-24 01:01:45 UTC 
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, when a PCD file does not contain a valid Sync marker, the DecodeImage() function becomes trapped in an infinite loop while searching for the Sync marker, causing the program to become unresponsive and continuously consume CPU resources, ultimately leading to system resource exhaustion and denial of service. Versions 7.1.2-15 and 6.9.13-40 contain a patch.