DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-40310: CVE-2026-40310: Heap-Based Out-of-Bounds Write in ImageMagick JP2 Encoder

#security #cve #cybersecurity

CVE-2026-40310: Heap-Based Out-of-Bounds Write in ImageMagick JP2 Encoder

Vulnerability ID: CVE-2026-40310
CVSS Score: 5.5
Published: 2026-04-14

CVE-2026-40310 is a heap-based out-of-bounds write vulnerability within the ImageMagick JPEG 2000 (JP2) encoder. The vulnerability is triggered when the application processes a user-supplied sampling factor of zero, leading to an incorrect mathematical calculation that undersizes a heap allocation. Subsequent write operations overwrite adjacent memory, primarily resulting in a denial-of-service condition via an application crash. The flaw affects ImageMagick versions prior to 7.1.2-19 and 6.9.13-44.

TL;DR

A heap out-of-bounds write in the ImageMagick JP2 encoder allows local or client-side attackers to trigger memory corruption and application crashes by supplying a zero-value sampling factor.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-122
  • Attack Vector: Local / Client-Side
  • CVSS v3.1 Score: 5.5
  • EPSS Score: 0.00012
  • Primary Impact: Denial of Service (Crash)
  • Exploit Status: Proof-of-Concept Only
  • CISA KEV: Not Listed

Affected Systems

  • ImageMagick
  • Magick.NET
  • ImageMagick 7.x: < 7.1.2-19 (Fixed in: 7.1.2-19)
  • ImageMagick 6.x: < 6.9.13-44 (Fixed in: 6.9.13-44)
  • Magick.NET: < 14.12.0 (Fixed in: 14.12.0)

Code Analysis

Commit: 3d653be

Fix for heap out-of-bounds write in JP2 encoder via missing validation of geometry_info parameters.

@@ -1103,10 +1103,12 @@ static MagickBooleanType WriteJP2Image(const ImageInfo *image_info,Image *image,

       flags=ParseGeometry(image_info->sampling_factor,&geometry_info);
       if ((flags & RhoValue) != 0)
-        parameters->subsampling_dx=(int) geometry_info.rho;
+        parameters->subsampling_dx=(int) MagickMax(
+          geometry_info.rho,1.0);
       parameters->subsampling_dy=parameters->subsampling_dx;
       if ((flags & SigmaValue) != 0)
-        parameters->subsampling_dy=(int) geometry_info.sigma;
+        parameters->subsampling_dy=(int) MagickMax(
+          geometry_info.sigma,1.0);
     }
Enter fullscreen mode Exit fullscreen mode

Mitigation Strategies

  • Upgrade ImageMagick to version 7.1.2-19 or 6.9.13-44.
  • Upgrade downstream dependencies such as Magick.NET to version 14.12.0 or later.
  • Implement strict input validation on user-supplied sampling factors to ensure positive integer values.
  • Disable the JP2 encoder via policy.xml if JPEG 2000 support is not strictly required by the application.

Remediation Steps:

  1. Identify all deployed instances of ImageMagick via package managers or binary inspection using magick -version.
  2. Update the system packages to the latest available patched version provided by the OS vendor.
  3. Recompile statically linked applications with the updated ImageMagick source code.
  4. Review .NET project files (e.g., .csproj) and update Magick.NET NuGet packages to 14.12.0.
  5. Deploy the updated binaries to staging environments, verify image conversion pipelines, and push to production.

References

Read the full report for CVE-2026-40310 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)