Heap Use-After-Free Vulnerability in ImageMagick Software
CVE-2026-40311

5.5MEDIUM

Key Information:

Vendor

Imagemagick
Status
Imagemagick
Vendor
CVE Published:
13 April 2026

What is CVE-2026-40311?

ImageMagick, a popular open-source software for digital image manipulation, has a vulnerability that allows an attacker to exploit a heap use-after-free condition by manipulating invalid XMP profiles. This can lead to crashes within the application, making systems vulnerable to potential data loss or exposure. The issue has been addressed in the latest updates, with users advised to upgrade to versions 6.9.13-44 and 7.1.2-19 to mitigate the risks.

Affected Version(s)

ImageMagick < 7.1.2-19 < 7.1.2-19

ImageMagick < 6.9.13-44 < 6.9.13-44

References

https://github.com/ImageMagick/ImageMagick/security/advis...
x_refsource_CONFIRM
https://github.com/ImageMagick/ImageMagick/commit/5facfec...
x_refsource_MISC
https://github.com/ImageMagick/ImageMagick/releases/tag/7...
x_refsource_MISC

CVSS V3.1

Score:
5.5
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.