Description
ImageMagick is free and open-source software used for editing and manipulating digital images. Versions below 7.1.2-19 and 6.9.13-44 contain a heap use-after-free vulnerability that can cause a crash when reading and printing values from an invalid XMP profile. This issue has been fixed in versions 6.9.13-44 and 7.1.2-19.
Published: 2026-04-13
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service (Crash)
Action: Immediate Patch
AI Analysis

Impact

A heap use‑after‑free flaw in ImageMagick allows a crafted XMP profile to trigger an invalid memory access during value printing, leading to a crash. The defect does not provide code execution but results in denial of service. The weakness is identified as a use‑after‑free (CWE‑416).

Affected Systems

The vulnerability affects ImageMagick releases older than 7.1.2‑19 and 6.9.13‑44 across all supported operating systems. Users running those versions should review their deployments.

Risk and Exploitability

The CVSS score of 5.5 indicates moderate severity. EPSS data is unavailable, and the issue is not in the CISA KEV list. Exploiting the flaw requires an attacker to supply a malicious XMP profile to an application that loads ImageMagick, resulting in a crash. The attack vector is likely local or remote depending on the application boundary, but no privilege escalation or remote code execution is demonstrated.

Generated by OpenCVE AI on April 14, 2026 at 01:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade ImageMagick to version 7.1.2‑19 or later, or 6.9.13‑44 or later.
  • If upgrading immediately is not possible, avoid processing XMP metadata from untrusted sources until a patch is applied.
  • Monitor for crash logs and consider isolating image processing in a restricted environment.

Generated by OpenCVE AI on April 14, 2026 at 01:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-r83h-crwp-3vm7 ImageMagick has a heap-use-after-free via XMP profile could result in a crash when printing the values.
History

Tue, 14 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Imagemagick
Imagemagick imagemagick
Vendors & Products Imagemagick
Imagemagick imagemagick

Tue, 14 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 14 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-825
References
Metrics threat_severity

None

 threat_severity

Moderate

Mon, 13 Apr 2026 22:00:00 +0000

Type Values Removed Values Added
Description ImageMagick is free and open-source software used for editing and manipulating digital images. Versions below 7.1.2-19 and 6.9.13-44 contain a heap use-after-free vulnerability that can cause a crash when reading and printing values from an invalid XMP profile. This issue has been fixed in versions 6.9.13-44 and 7.1.2-19.
Title ImageMagick: Heap-use-after-free via XMP profile could result in a crash when printing values
Weaknesses CWE-416
CWE-693
References
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}

Subscriptions

Imagemagick Imagemagick
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-14T15:48:36.521Z

Reserved: 2026-04-10T21:41:54.505Z

Link: CVE-2026-40311

cve-icon Vulnrichment

Updated: 2026-04-14T15:48:32.477Z

cve-icon NVD

Status : Received

Published: 2026-04-13T22:16:29.950

Modified: 2026-04-13T22:16:29.950

Link: CVE-2026-40311

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-13T21:36:44Z

Links: CVE-2026-40311 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:32:57Z

Weaknesses