Listen to this Post
How CVE-2026-40310 Works
The vulnerability resides within the JPEG 2000 (JP2) encoder of ImageMagick. The core issue is triggered when a user provides an invalid sampling index, a parameter that dictates the downsampling ratio for color channels during image encoding. In the vulnerable code paths (versions prior to 6.9.13-44 and 7.1.2-19), the function `WriteJP2Image` fails to adequately validate the user-supplied `sampling_factor` value. Specifically, the `rho` and `sigma` components of the parsed `geometry_info` structure, which represent the horizontal and vertical sampling factors, are used to set the `subsampling_dx` and `subsampling_dy` parameters. If an attacker provides a value of zero or a negative number for these factors, the code would directly assign this invalid integer to the sampling parameters. This bypasses crucial input sanitization, leading to an undersized or misconfigured memory allocation on the heap for the JPEG 2000 encoding buffers. Subsequently, when the encoder attempts to write pixel data into this insufficiently allocated memory buffer, the write operation exceeds its allocated boundaries, resulting in a heap out-of-bounds write. This corrupts adjacent heap metadata or other dynamically allocated objects, leading to unpredictable behavior. The vulnerability can be triggered locally by processing a specially crafted image, but a remote attacker could also exploit it if an application using ImageMagick processes untrusted user uploads without proper isolation. The fix, implemented in commit 3d653bea2df085c728a1c8f775808e1e9249dff9, corrects this by wrapping the value assignments with MagickMax(..., 1.0). This ensures that any invalid zero or negative value is clamped to a minimum of 1, preventing the creation of undersized buffers and eliminating the out-of-bounds write.
DailyCVE Form
Platform: ImageMagick/Magick.NET
Version: < 6.9.13-44
Vulnerability: Heap out-of-bounds write
Severity: Moderate (5.5/10)
Date: 2026-04-13
Prediction: 2026-04-15 (Patched)
Analytics
What Undercode Say:
Check ImageMagick version identify -version Scan for vulnerable Magick.NET packages in a .csproj file grep -E 'Magick.NET-.-AnyCPU|Magick.NET-.-x64|Magick.NET-.-Q16' your_project.csproj One-liner to test for CVE-2026-40310 (checks if an invalid sampling factor causes a crash) convert -sampling-factor 0x0 input.png output.jp2 && echo "VULNERABLE" || echo "PATCHED or CRASH"
Exploit
An attacker needs to supply a specially crafted image with an invalid sampling index (zero or negative) to the JP2 encoder. When ImageMagick processes this image, the flaw triggers, causing memory corruption. The low attack complexity and no privileges required make it accessible for local attackers, especially in environments where image processing is exposed to untrusted input. The attack vector is local but can be exploited remotely if an application processes untrusted user uploads.
Protection from this CVE
Install updates from vendor’s website and upgrade to patched versions:
– ImageMagick: Upgrade to version 6.9.13-44 or 7.1.2-19
– Magick.NET: Upgrade to version 14.13.1
– Debian: Upgrade to version 8:7.1.1.43+dfsg1-1+deb13u8 or higher
Alternatively, avoid processing untrusted images with the JP2 encoder until patching is possible.
Impact
Exploitation leads to a heap out-of-bounds write that can corrupt adjacent heap metadata, causing application crashes or denial of service (DoS). Under certain conditions, it could potentially enable malicious actors to execute arbitrary code. The CVSS base score is 5.5 (Medium), with high availability impact, local attack vector, low attack complexity, and no privileges required.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

