DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-40311: CVE-2026-40311: Heap Use-After-Free in ImageMagick XMP Profile Parsing

#security #cve #cybersecurity

CVE-2026-40311: Heap Use-After-Free in ImageMagick XMP Profile Parsing

Vulnerability ID: CVE-2026-40311
CVSS Score: 5.5
Published: 2026-04-14

CVE-2026-40311 is a medium-severity heap use-after-free (UAF) vulnerability located in ImageMagick's Extensible Metadata Platform (XMP) profile parser. The flaw occurs within the GetXMPProperty function due to improper memory lifecycle management when interacting with internal splay tree structures, leading to a denial-of-service condition when malformed images are processed.

TL;DR

ImageMagick versions prior to 7.1.2-19 and 6.9.13-44 contain a heap use-after-free vulnerability in the XMP metadata parser. Processing crafted images causes incorrect memory deallocation within the application's splay tree, resulting in denial of service via segmentation faults during metadata extraction.

Technical Details

  • CWE ID: CWE-416
  • Attack Vector: Local / User Interaction Required
  • CVSS Score: 5.5 (Medium)
  • EPSS Score: 0.00015 (3.18%)
  • Impact: Denial of Service (DoS)
  • Exploit Status: Unexploited / No PoC
  • KEV Status: Not Listed

Affected Systems

  • ImageMagick 7.x
  • ImageMagick 6.x
  • Magick.NET
  • ImageMagick: < 7.1.2-19 (Fixed in: 7.1.2-19)
  • ImageMagick: < 6.9.13-44 (Fixed in: 6.9.13-44)
  • Magick.NET: < 14.12.0 (Fixed in: 14.12.0)

Code Analysis

Commit: 5facfec

Fix for heap use-after-free in GetXMPProperty via explicit memory ownership transfer to splay tree and local buffer destruction.

Mitigation Strategies

  • Upgrade ImageMagick to patched versions (7.1.2-19 or 6.9.13-44).
  • Upgrade Magick.NET dependencies to version 14.12.0 or higher.
  • Implement metadata stripping (XMP/Exif) in isolated preprocessing pipelines before passing images to ImageMagick.
  • Monitor application logs and system events for SIGSEGV crashes in image processing binaries.

Remediation Steps:

  1. Identify all systems and container images utilizing ImageMagick or Magick.NET.
  2. Update package manager configurations to fetch the latest stable releases.
  3. Execute updates to install ImageMagick 7.1.2-19 or 6.9.13-44.
  4. Rebuild and redeploy applications dependent on Magick.NET with version 14.12.0.
  5. Verify the installation by running magick -version to confirm the patched version is active.

References

Read the full report for CVE-2026-40311 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)