ImageMagick, Heap Use-After-Free, CVE-2026-40311 (MEDIUM)

Listen to this Post

ImageMagick suffers from a heap use-after-free vulnerability (CWE-416) when handling malformed XMP metadata. The flaw resides in the code that reads and prints values from an XMP profile. When the library processes an invalid XMP profile, it frees a heap memory region but then later dereferences a pointer to that freed memory (use-after-free). After the memory is freed, an attacker can cause the same memory to be reallocated for a different purpose, but the original pointer still references it. When the original pointer is subsequently used to read or write data, the operation acts on memory that now belongs to another allocation, leading to memory corruption. This corruption typically manifests as a crash (segmentation fault), but in principle could be abused for more severe outcomes such as information disclosure or arbitrary code execution. The vulnerability is triggered by calling functions that print XMP values; the heap use-after-free occurs during that printing process. ImageMagick also exhibits a protection mechanism failure (CWE-693) because it lacks sufficient checks to prevent the use of freed memory. The issue is fixed in versions 6.9.13-44 and 7.1.2-19 by correcting the pointer handling in the XMP parsing logic.

DailyCVE Form

Platform: ImageMagick
Version: below 7.1.2-19
Vulnerability: Heap Use-After-Free
Severity: MEDIUM
date: 2026-04-13

Prediction: Patch: 2026-04-12

Analytics under heading What Undercode Say:

Check ImageMagick version
identify -version
Create a malformed XMP profile trigger
echo "<?xpacket begin='' id='W5M0MpCehiHzreSzNTczkc9d'?><x:xmpmeta></x:xmpmeta>" > trigger.xmp
Exploit via convert (will crash vulnerable versions)
convert -profile trigger.xmp vulnerable.jpg out.png
Scan all images in a directory for XMP
find . -name ".jpg" -exec identify -verbose {} \; 2>&1 | grep -i xmp
Test for CVE-2026-40311
if identify -version | grep -q "7.1.2-19|6.9.13-44"; then echo "Not vulnerable"; else echo "VULNERABLE"; fi
Apply fix (Ubuntu/Debian)
sudo apt-get update && sudo apt-get install imagemagick
Apply fix (RHEL/CentOS)
sudo yum update ImageMagick
Apply fix (from source)
git clone https://github.com/ImageMagick/ImageMagick.git && cd ImageMagick && git checkout 7.1.2-19 && ./configure && make && sudo make install

how Exploit:

Craft a specially crafted image file containing an invalid XMP profile. When a user opens or converts this image using a vulnerable ImageMagick version, the heap use-after-free triggers, causing the application to crash (denial of service). For a remote attack, trick the user into downloading and processing the malicious image (e.g., via email, web upload). The crash is reliable and immediate, requiring no special privileges.

Protection from this CVE

  • Upgrade ImageMagick to 6.9.13-44, 7.1.2-19, or later.
  • Disable XMP profile parsing if not needed (-define profile:skip=xmp).
  • Process untrusted images in a sandboxed environment (Docker, firejail).
  • Use AppArmor or SELinux to limit ImageMagick’s capabilities.
  • Monitor for crashes using `auditd` or similar.

Impact

  • Denial of service (application crash)
  • Potential memory corruption leading to unpredictable behavior
  • No confidentiality or integrity impact per CVSS (CWE-416)
  • Affects all platforms running vulnerable ImageMagick versions
  • Remote exploitation possible if user processes attacker-supplied image

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top