CVE-2026-40183
Received Received - Intake
Heap Overflow in ImageMagick JXL Encoder Affects 16-Bit Float Encoding

Publication date: 2026-04-13

Last updated on: 2026-04-17

Assigner: GitHub, Inc.

Description
ImageMagick is free and open-source software used for editing and manipulating digital images. In versions below 7.1.2-19, the JXL encoder has an heap write overflow when a user specifies that the image should be encoded as 16 bit floats. This issue has been fixed in version 7.1.2-19.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-13
Last Modified
2026-04-17
Generated
2026-06-16
AI Q&A
2026-04-14
EPSS Evaluated
2026-06-15
NVD
CVE-2026-40183
EUVD
EUVD-2026-22114
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
imagemagick imagemagick to 7.1.2-19 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-122 A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in ImageMagick versions below 7.1.2-19, specifically in the JXL encoder. When a user requests that an image be encoded as 16 bit floats, a heap write overflow can occur. This means that the program writes more data to a heap buffer than it can hold, potentially leading to memory corruption.

Impact Analysis

The heap write overflow vulnerability can lead to a denial of service or potentially other unpredictable behavior due to memory corruption. According to the CVSS score (5.5), the impact is mainly on availability (A:H), meaning the application could crash or become unstable. The attack requires local access with low privileges and user interaction.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade ImageMagick to version 7.1.2-19 or later, where the heap write overflow issue in the JXL encoder has been fixed.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40183. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart