Listen to this Post
How the CVE Works
The vulnerability exists in the MNG (Multiple-image Network Graphics) coder of ImageMagick. The coder fails to enforce the configured `list-length` policy limit during the processing of crafted MNG files. Specifically, when a malicious MNG file is provided, the decoder does not correctly validate the number of images against the set policy threshold, allowing it to parse and allocate resources for a large number of frames beyond the allowed limit.
This bypass is possible because the MNG coder processes image frames sequentially. The policy check is performed at the beginning of the decoding process but is not re-evaluated for each new frame as the file’s embedded instructions (like LOOP) are executed. By crafting an MNG file with an oversized loop count (e.g., 2,147,483,647), an attacker can cause the coder to repeatedly create image objects, effectively ignoring the `list-length` cap.
The issue leads to uncontrolled memory consumption. Each frame requires memory allocation for pixel data and metadata. Without the list limit, the coder will continue to allocate these resources until the system’s memory is exhausted, triggering a denial-of-service (DoS) condition. This is a classic resource exhaustion attack that exploits a missing bounds check in the MNG coder’s logic.
The vulnerability is present in versions of ImageMagick that lack a fix for this specific logical error. It is triggered when an attacker supplies a specially crafted MNG file to a vulnerable ImageMagick instance, for example, via a web upload form or a command-line conversion.
DailyCVE Form
Platform: ImageMagick
Version: <7.1.2-19, <6.9.13-44
Vulnerability: Policy bypass in MNG coder
Severity: Moderate
Date: May 18, 2026
Prediction: Include expected Patch date: May 16, 2026 (patched)
What Undercode Say:
Check ImageMagick version `identify -version`
Test for vulnerability (requires a crafted MNG file) `identify vulnerable.mng`
Apply patch by upgrading to fixed version `sudo apt-get update && sudo apt-get install imagemagick=7.1.2-19`
Disable MNG encoder as mitigation (policy.xml) `
Exploit
An attacker crafts a malicious MNG file containing an extremely large loop count (e.g., 2,147,483,647). When processed by an affected ImageMagick version, the MNG decoder reads more frames than the list limit policy permits, causing the system to exhaust available memory. This leads to a denial-of-service condition, crashing the application or the entire system.
Protection from this CVE
- Upgrade to ImageMagick versions 7.1.2-19 or 6.9.13-44, which include the complete patch.
- Disable the MNG encoder by adding `
` to policy.xml. - Avoid processing untrusted MNG files.
- Run ImageMagick in a sandboxed environment to limit the impact of resource exhaustion.
Impact
- Denial of Service: The vulnerability can lead to a crash or system unresponsiveness due to memory exhaustion.
- Resource Exhaustion: An attacker can consume all available system memory, affecting other processes and services.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

