Listen to this Post
The vulnerability exists in ImageMagick’s JXL (JPEG XL) encoder when a user explicitly requests the image to be encoded as 16‑bit floating point samples.
Internally, the function `WriteJXLImage()` allocates a heap buffer to hold pixel data converted from the internal `Quantum` format to the JXL required format.
If the input image uses a 16‑bit float representation (e.g., HDRI mode with `QuantumDepth=16` and FloatingPoint=1), the encoder miscalculates the required buffer size.
The calculation omits padding or alignment necessary for the 16‑bit float channel layout, leading to a heap write overflow.
When the encoder writes each pixel component, it writes beyond the allocated buffer boundary.
The overflow occurs during the loop that converts `Quantum` values into 16‑bit floats and copies them into the output buffer.
An attacker can craft a malicious image file (or supply specific encoding parameters) that triggers this miscalculation.
The overflow corrupts adjacent heap metadata or other heap‑allocated objects.
This can lead to a crash (denial of service) or, under controlled conditions, arbitrary code execution.
The issue affects all Magick.NET packages that bundle ImageMagick versions before 14.12.0.
Specifically, any NuGet package with `Magick.NET-` versions lower than 14.12.0 is vulnerable.
The root cause is in the JXL encoder’s `WriteJXLImage()` function, where the buffer size for 16‑bit float images is computed as `width height channels sizeof(float)` but the encoder writes `sizeof(float)` bytes per channel.
However, because the internal representation may use a different stride or extra padding, the actual written size exceeds the allocated size.
The vulnerability is triggered only when the user sets the `JxlEncode` option to use 16‑bit float format.
This is often done via `-define jxl:floating-point=1` or programmatically in Magick.NET.
The heap overflow is a classic “write beyond bounds” vulnerability and is present in the JXL module contributed to ImageMagick.
It was discovered during fuzzing of the JXL encoder with 16‑bit HDRI images.
The patch in version 14.12.0 corrects the buffer size calculation by using the actual required stride.
DailyCVE Form
Platform: ImageMagick Magick.NET
Version: Below 14.12.0
Vulnerability: Heap buffer overflow
Severity: Moderate
Date: Apr 14 2026
Prediction: Expected Apr 20
What Undercode Say:
Analytics
Check ImageMagick version for JXL encoder identify -version | grep -i jxl Test if system is vulnerable (using a crafted 16-bit float command) convert input.png -define jxl:floating-point=1 output.jxl Monitor heap overflow with AddressSanitizer convert -sanitize address input.png -define jxl:floating-point=1 output.jxl For Magick.NET, check NuGet package version dotnet list package | grep Magick.NET Grep for vulnerable version range in project file grep -E 'Magick.NET.Version.[0-9]+.[0-9]+.[0-9]+' .csproj
Exploit:
Provide a crafted image (e.g., PNG with specific dimensions) and force encoding to JXL with -define jxl:floating-point=1. The heap write overflow corrupts malloc metadata. A working exploit would control the overflow size to overwrite a function pointer or adjacent buffer, leading to code execution. Example command:
`convert poc.png -define jxl:floating-point=1 exploit.jxl`
Protection from this CVE
Upgrade Magick.NET to version 14.12.0 or higher. Alternatively, disable the JXL encoder by removing the JXL delegate or recompiling ImageMagick without --with-jxl. For runtime mitigation, avoid using `-define jxl:floating-point=1` on untrusted images.
Impact
Heap buffer overflow can cause immediate crash (denial of service). In advanced scenarios, an attacker may achieve arbitrary code execution with the privileges of the ImageMagick process, leading to system compromise.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

