Listen to this Post
The vulnerability CVE-2026-40310 resides within the JPEG 2000 (JP2) encoder of ImageMagick. The core issue is triggered when a user provides an invalid sampling index, a parameter that dictates the downsampling ratio for color channels during image encoding. In the vulnerable code paths (versions prior to 6.9.13-44 and 7.1.2-19), the function `WriteJP2Image` fails to adequately validate the user-supplied `sampling_factor` value.
Specifically, the `rho` and `sigma` components of the parsed `geometry_info` structure, which represent the horizontal and vertical sampling factors, are used to set the `subsampling_dx` and `subsampling_dy` parameters. If an attacker provides a value of zero or a negative number for these factors, the code would directly assign this invalid integer to the sampling parameters. This bypasses crucial input sanitization, leading to an undersized or misconfigured memory allocation on the heap for the JPEG 2000 encoding buffers.
Subsequently, when the encoder attempts to write pixel data into this insufficiently allocated memory buffer, the write operation exceeds its allocated boundaries, resulting in a heap out-of-bounds write. This corrupts adjacent heap metadata or other dynamically allocated objects, leading to unpredictable behavior. The vulnerability can be triggered locally by processing a specially crafted image, but a remote attacker could also exploit it if an application using ImageMagick processes untrusted user uploads without proper isolation.
The fix, implemented in commit 3d653bea2df085c728a1c8f775808e1e9249dff9, corrects this by wrapping the value assignments with MagickMax(..., 1.0). This ensures that any invalid zero or negative value is clamped to a minimum of 1, preventing the creation of undersized buffers and eliminating the out-of-bounds write.
dailycve form:
Platform: ImageMagick / Magick.NET
Version: < 6.9.13-44
Vulnerability : Heap out-of-bounds write
Severity: Moderate (5.5/10)
date: 2026-04-13
Prediction: 2026-04-15 (Patched)
(end of form)
Analytics under heading What Undercode Say:
Check ImageMagick version identify -version Scan for vulnerable Magick.NET packages in a .csproj file grep -E 'Magick.NET-.-AnyCPU|Magick.NET-.-x64|Magick.NET-.-Q16' your_project.csproj One-liner to test for CVE-2026-40310 (checks if an invalid sampling factor causes a crash) convert -sampling-factor 0x0 input.png output.jp2 && echo "VULNERABLE" || echo "PATCHED or CRASH"
How Exploit:
Example Python snippet using Wand (ImageMagick binding)
from wand.image import Image
Craft malicious image with invalid sampling factor
with Image(filename='source.png') as img:
Trigger the vulnerability by setting a zero sampling factor
img.options['jp2:sampling-factor'] = '0x0'
try:
img.save(filename='exploit.jp2')
print("Exploit likely successful - process crash or memory corruption.")
except Exception as e:
print(f"Exploit failed or target is patched: {e}")
Protection from this CVE
Upgrade ImageMagick to versions 6.9.13-44, 7.1.2-19, or later. If you use Magick.NET via NuGet, upgrade all affected packages to version 14.12.0 or later. If immediate upgrading is not possible, a workaround is to disable the JP2 encoder entirely, for example by using the policy file (policy.xml) to block the `JP2` coder:
<policy domain="coder" rights="none" pattern="JP2" />
Impact
The primary impact is a denial of service (DoS) due to application crashes, with a CVSS base score of 5.5 (Moderate). While arbitrary code execution is considered possible under specific conditions, it has not been publicly demonstrated. The vulnerability has a local attack vector, but can be exploited remotely in configurations where an application processes untrusted images. It requires no privileges and low attack complexity, but does necessitate user interaction (e.g., opening a malicious file).
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow DailyCVE & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin
mitmproxy, LDAP Authentication Bypass, (CVE unknown) (Medium)
