CVE-2026-40310 Overview
CVE-2026-40310 is a heap out-of-bounds write vulnerability affecting ImageMagick, the popular open-source software suite for editing and manipulating digital images. The vulnerability exists in the JP2 (JPEG 2000) encoder component and can be triggered when a user specifies an invalid sampling index during image processing operations. This memory corruption issue could allow an attacker to cause a denial of service condition by crashing the application.
Critical Impact
A heap out-of-bounds write in ImageMagick's JP2 encoder could lead to application crashes and denial of service when processing maliciously crafted images with invalid sampling parameters.
Affected Products
- ImageMagick versions below 7.1.2-19
- ImageMagick versions below 6.9.13-44
- Magick.NET versions below 14.12.0
Discovery Timeline
- 2026-04-13 - CVE-2026-40310 published to NVD
- 2026-04-13 - Last updated in NVD database
Technical Details for CVE-2026-40310
Vulnerability Analysis
This vulnerability is classified as CWE-122 (Heap-based Buffer Overflow), a memory corruption issue that occurs when data is written beyond the allocated heap buffer boundaries. The flaw resides in the JP2 encoder within the coders/jp2.c file of ImageMagick.
When processing images with user-supplied sampling factors for JPEG 2000 encoding, the vulnerable code fails to properly validate the sampling index values. Specifically, the subsampling_dx and subsampling_dy parameters derived from user input could be set to invalid values (including zero or negative values), leading to heap memory corruption during subsequent encoding operations.
The vulnerability requires local access and user interaction—an attacker would need to convince a victim to process a maliciously crafted image or use specific command-line parameters when converting images to JP2 format.
Root Cause
The root cause is improper input validation in the JP2 encoder when parsing geometry information for subsampling parameters. The original code directly assigned user-supplied values to the subsampling_dx and subsampling_dy parameters without enforcing minimum bounds, allowing invalid values to corrupt heap memory during encoding operations.
Attack Vector
The attack vector requires local access with user interaction. An attacker could exploit this vulnerability by:
- Crafting a malicious image processing command with invalid sampling factor parameters
- Convincing a victim to process the image using ImageMagick with specific JP2 encoding options
- Triggering the heap overflow when the invalid sampling index is processed
The vulnerability primarily results in denial of service through application crashes, as the heap corruption disrupts normal memory operations.
// Security patch in coders/jp2.c
// Source: https://github.com/ImageMagick/ImageMagick/commit/3d653bea2df085c728a1c8f775808e1e9249dff9
flags=ParseGeometry(image_info->sampling_factor,&geometry_info);
if ((flags & RhoValue) != 0)
- parameters->subsampling_dx=(int) geometry_info.rho;
+ parameters->subsampling_dx=(int) MagickMax(
+ geometry_info.rho,1.0);
parameters->subsampling_dy=parameters->subsampling_dx;
if ((flags & SigmaValue) != 0)
- parameters->subsampling_dy=(int) geometry_info.sigma;
+ parameters->subsampling_dy=(int) MagickMax(
+ geometry_info.sigma,1.0);
}
property=GetImageProperty(image,"comment",exception);
if (property != (const char *) NULL)
The patch adds MagickMax() calls to ensure that subsampling values are never less than 1.0, preventing the heap overflow condition.
Detection Methods for CVE-2026-40310
Indicators of Compromise
- Unexpected crashes of ImageMagick processes during JP2/JPEG 2000 encoding operations
- Core dumps or segmentation faults associated with convert, mogrify, or other ImageMagick utilities
- Unusual command-line parameters specifying abnormal sampling factors (e.g., -sampling-factor 0x0)
- Application logs showing heap corruption or memory allocation errors in JP2 encoder operations
Detection Strategies
- Monitor for ImageMagick process crashes with heap corruption signatures in crash dumps
- Implement file integrity monitoring on ImageMagick binaries to detect unauthorized modifications
- Review application logs for abnormal image processing errors related to JP2 encoding
- Deploy memory protection tools (ASan, Valgrind) in development environments to detect out-of-bounds writes
Monitoring Recommendations
- Enable verbose logging for ImageMagick operations in production environments
- Configure crash monitoring systems to alert on ImageMagick process terminations
- Implement input validation at the application layer before passing parameters to ImageMagick
- Set up automated vulnerability scanning to identify outdated ImageMagick installations
How to Mitigate CVE-2026-40310
Immediate Actions Required
- Upgrade ImageMagick to version 7.1.2-19 or later for the 7.x branch
- Upgrade ImageMagick to version 6.9.13-44 or later for the 6.x branch
- Update Magick.NET to version 14.12.0 or later if using the .NET wrapper
- Restrict ImageMagick's execution to trusted users and validated inputs
Patch Information
ImageMagick has released security patches addressing this vulnerability. The fix ensures that subsampling parameters are validated to have a minimum value of 1.0, preventing the heap overflow condition. Patches are available through the official GitHub repository:
- ImageMagick 7.1.2-19 Release
- Security Commit 3d653bea2df085c728a1c8f775808e1e9249dff9
- GitHub Security Advisory GHSA-pwg5-6jfc-crvh
- Magick.NET 14.12.0 Release
Workarounds
- Disable JP2/JPEG 2000 encoding in ImageMagick policy configuration if not required
- Implement strict input validation to reject invalid sampling factor parameters before processing
- Run ImageMagick in a sandboxed environment with restricted memory access
- Use ImageMagick's policy.xml to restrict coders and limit resource usage
# Configuration example - Disable JP2 coder in ImageMagick policy.xml
# Add the following to /etc/ImageMagick-7/policy.xml or /etc/ImageMagick-6/policy.xml
<policy domain="coder" rights="none" pattern="JP2" />
<policy domain="coder" rights="none" pattern="JPC" />
<policy domain="coder" rights="none" pattern="JPX" />
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
