CVE-2026-40183
Heap Overflow in ImageMagick JXL Encoder Affects 16-Bit Float Encoding
Publication date: 2026-04-13
Last updated on: 2026-04-17
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| imagemagick | imagemagick | to 7.1.2-19 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-122 | A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc(). |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in ImageMagick versions below 7.1.2-19, specifically in the JXL encoder. When a user requests that an image be encoded as 16 bit floats, a heap write overflow can occur. This means that the program writes more data to a heap buffer than it can hold, potentially leading to memory corruption.
How can this vulnerability impact me? :
The heap write overflow vulnerability can lead to a denial of service or potentially other unpredictable behavior due to memory corruption. According to the CVSS score (5.5), the impact is mainly on availability (A:H), meaning the application could crash or become unstable. The attack requires local access with low privileges and user interaction.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade ImageMagick to version 7.1.2-19 or later, where the heap write overflow issue in the JXL encoder has been fixed.