CVE-2026-40183 - Vulnerability Details

- ImageMagick: Heap buffer overflow when encoding JXL image with a 16-bit float

Description

ImageMagick is free and open-source software used for editing and manipulating digital images. In versions below 7.1.2-19, the JXL encoder has an heap write overflow when a user specifies that the image should be encoded as 16 bit floats. This issue has been fixed in version 7.1.2-19.

Published: 2026-04-13

Score: 5.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

ImageMagick contains a heap buffer overflow in its JXL encoder when an image is encoded as 16‑bit float. The flaw can corrupt memory in the process and, if an attacker can control the encoding call, could enable arbitrary code execution or cause a denial of service by crashing the application. The vulnerability represents a moderate risk to the integrity of any system that processes untrusted images using this feature.

Affected Systems

The issue is present in all ImageMagick releases prior to 7.1.2‑19. Users running any older version of the ImageMagick product are potentially affected; upgrading to 7.1.2‑19 or a later release removes the flaw.

Risk and Exploitability

The CVSS score of 5.5 indicates medium severity. No EPSS data or KEV listing is available, implying limited public evidence of exploitation. Exploitation would require the JXL encoder to be invoked with the 16‑bit float option, suggesting an attack vector that relies on maliciously crafted image data processed by an application that performs such encoding. Full exploitation would likely need additional weaknesses in the surrounding environment, but the presence of a heap overflow raises concern for trusted environments or those handling unverified input.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

ImageMagick

affected

Version	Status	Constraints
`< 7.1.2-19`	affected	—

No data.

Vendor Product Confidence Versions

Imagemagick

100%

Version	Status	Scheme	Platform
`[0,7.1.2-19)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade ImageMagick to version 7.1.2‑19 or newer.
If an upgrade cannot be applied immediately, avoid using the 16‑bit float option when encoding JXL images; consider alternative formats or lower precision.
Ensure that applications leveraging ImageMagick verify the trustworthiness of input images and implement defensive checks.
Monitor for anomalous crashes or memory corruption indicators that may signal an attempt to exploit the vulnerability.

Generated by OpenCVE AI on April 14, 2026 at 01:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-jvgr-9ph5-m8v4	ImageMagick has a heap buffer overflow when encoding JXL image with a 16-bit float

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00012.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/ImageMagick/ImageMagick/releases/tag/7.1.2-19
https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-jvgr-9ph5-m8v4
https://github.com/dlemstra/Magick.NET/releases/tag/14.12.0
https://nvd.nist.gov/vuln/detail/CVE-2026-40183
https://www.cve.org/CVERecord?id=CVE-2026-40183

History

Tue, 14 Apr 2026 22:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 14 Apr 2026 16:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Imagemagick Imagemagick imagemagick
Vendors & Products		Imagemagick Imagemagick imagemagick

Tue, 14 Apr 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-787
References		https://nvd.nist.gov/vuln/detail/CVE-2026-40183 https://www.cve.org/CVERecord?id=CVE-2026-40183
Metrics	threat_severity `None`	threat_severity `Moderate`

Mon, 13 Apr 2026 21:45:00 +0000

Type	Values Removed	Values Added
Description		ImageMagick is free and open-source software used for editing and manipulating digital images. In versions below 7.1.2-19, the JXL encoder has an heap write overflow when a user specifies that the image should be encoded as 16 bit floats. This issue has been fixed in version 7.1.2-19.
Title		ImageMagick: Heap buffer overflow when encoding JXL image with a 16-bit float
Weaknesses		CWE-122
References		https://github.com/ImageMagick/ImageMagick/releases/tag/7.1.2-19 https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-jvgr-9ph5-m8v4 https://github.com/dlemstra/Magick.NET/releases/tag/14.12.0
Metrics		cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}`

Subscriptions

Imagemagick Imagemagick

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-04-13T21:28:20.797Z

Updated: 2026-04-14T19:27:39.187Z

Reserved: 2026-04-09T20:59:17.619Z

Link: CVE-2026-40183

Vulnrichment

Updated: 2026-04-14T19:23:18.395Z

NVD

Status : Received

Published: 2026-04-13T22:16:29.643

Modified: 2026-04-13T22:16:29.643

Link: CVE-2026-40183

Redhat

Severity : Moderate

Publid Date: 2026-04-13T21:28:20Z

Links: CVE-2026-40183 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-14T16:32:59Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction Required

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object