Listen to this Post
CVE-2026-40169 is a moderate-severity heap buffer overflow vulnerability in ImageMagick versions prior to 7.1.2-19. The flaw, identified as a heap-based buffer overflow (CWE-122) and an out-of-bounds write (CWE-787), resides within the software’s YAML and JSON encoders. A remote attacker can exploit this vulnerability by providing a specially crafted image file. When ImageMagick processes this malformed image to generate either a YAML or JSON output, an out-of-bounds write to heap memory occurs. This occurs because the encoders improperly handle buffer sizes when processing the maliciously crafted image data. The out-of-bounds write can lead to memory corruption and a crash of the application. The vulnerability is classified with a CVSS v3.1 base score of 6.2, indicating a MEDIUM severity level. The attack vector is local (AV:L), requires low attack complexity (AC:L), and requires no privileges (PR:N) or user interaction (UI:N). The scope is unchanged (S:U), and the primary impact is on availability (A:H), with no impact on confidentiality or integrity. The issue was published to the GitHub Advisory Database on April 13, 2026, and has been fixed in ImageMagick version 7.1.2-19 and Magick.NET version 14.12.0. The fix is included in the latest versions of all affected Magick.NET packages, such as Magick.NET-Q16-AnyCPU, for which all versions prior to 14.12.0 are vulnerable.
Platform: ImageMagick/Magick.NET
Version: <7.1.2-19/<14.12.0
Vulnerability : Heap Buffer Overflow
Severity: Moderate (6.2)
date: 2026-04-13
Prediction: Patch by 2026-04-20
What Undercode Say:
Check ImageMagick version magick --version Example of a vulnerable command magick exploit.png -write json: output.json Check Magick.NET package version in a .NET project dotnet list package --include-transitive | findstr Magick.NET
Exploit:
The exploit works by creating an image with metadata that, when processed by the YAML or JSON encoders, causes a buffer overflow. A proof-of-concept can be crafted using a tool like `exiftool` to inject malicious data into an image’s metadata.
Protection from this CVE
Update ImageMagick to version 7.1.2-19 or later.
Update Magick.NET to version 14.12.0 or later.
If patching is not possible, avoid processing YAML or JSON outputs from untrusted images and ensure robust input validation.
Impact
Availability: High impact, as the vulnerability leads to application crashes and denial of service.
Confidentiality: No impact.
Integrity: No impact.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

