CVE-2026-40310: ImageMagick: Heap out-of-bounds write in JP2 encoder

Q: What is the severity of CVE-2026-40310?

CVE-2026-40310 is classified as a critical severity vulnerability due to the potential for heap out-of-bounds writes.

Q: How do I fix CVE-2026-40310?

To fix CVE-2026-40310, upgrade ImageMagick to version 7.1.2-19 or 6.9.13-44 or later.

Q: What versions of ImageMagick are affected by CVE-2026-40310?

CVE-2026-40310 affects ImageMagick versions prior to 7.1.2-19 and 6.9.13-44.

Q: What type of vulnerability is CVE-2026-40310?

CVE-2026-40310 is a heap out-of-bounds write vulnerability in the JP2 encoder.

Q: Can CVE-2026-40310 be exploited remotely?

Yes, CVE-2026-40310 can potentially be exploited remotely if an attacker provides a specially crafted JP2 image.

Published Apr 13, 2026

Updated

Heap out-of-bounds write in the JP2 encoder with when a user specifies an invalid sampling index.

Affected Software

17 affected componentsFixes available

ImageMagick ImageMagick<7.1.2-19, <6.9.13-44

nuget/Magick.NET-Q8-x86<14.12.0

14.12.0

nuget/Magick.NET-Q8-arm64<14.12.0

14.12.0

nuget/Magick.NET-Q8-OpenMP-x64<14.12.0

14.12.0

nuget/Magick.NET-Q8-OpenMP-arm64<14.12.0

14.12.0

nuget/Magick.NET-Q8-AnyCPU<14.12.0

14.12.0

nuget/Magick.NET-Q16-x86<14.12.0

14.12.0

nuget/Magick.NET-Q16-arm64<14.12.0

14.12.0

nuget/Magick.NET-Q16-OpenMP-x64<14.12.0

14.12.0

nuget/Magick.NET-Q16-OpenMP-arm64<14.12.0

14.12.0

nuget/Magick.NET-Q16-HDRI-x86<14.12.0

14.12.0

nuget/Magick.NET-Q16-HDRI-x64<14.12.0

14.12.0

nuget/Magick.NET-Q16-HDRI-OpenMP-arm64<14.12.0

14.12.0

nuget/Magick.NET-Q16-HDRI-AnyCPU<14.12.0

14.12.0

nuget/Magick.NET-Q16-AnyCPU<14.12.0

14.12.0

ImageMagick ImageMagick<6.9.13-44

ImageMagick ImageMagick>=7.0.0-0<7.1.2-19

Remediation

Patch Available

https://github.com/ImageMagick/ImageMagick/commit/3d653bea2df085c728a1c8f775808e1e9249dff9

Event History

Apr 13, 2026

CVE Published

via MITRE·09:32 PM

Data Sourced

via MITRE·09:32 PM

DescriptionSeverityWeakness

Data Sourced

via NVD·10:16 PM

DescriptionSeverityWeakness

Data Sourced

via NVD·10:16 PM

RemedyAffected Software

Apr 14, 2026

Advisory Published

via GitHub·06:51 PM

Data Sourced

via GitHub·06:51 PM

DescriptionSeverityWeaknessAffected Software

Frequently Asked Questions

What is the severity of CVE-2026-40310?

CVE-2026-40310 is classified as a critical severity vulnerability due to the potential for heap out-of-bounds writes.

How do I fix CVE-2026-40310?

To fix CVE-2026-40310, upgrade ImageMagick to version 7.1.2-19 or 6.9.13-44 or later.

What versions of ImageMagick are affected by CVE-2026-40310?

CVE-2026-40310 affects ImageMagick versions prior to 7.1.2-19 and 6.9.13-44.

What type of vulnerability is CVE-2026-40310?

CVE-2026-40310 is a heap out-of-bounds write vulnerability in the JP2 encoder.

Can CVE-2026-40310 be exploited remotely?

Yes, CVE-2026-40310 can potentially be exploited remotely if an attacker provides a specially crafted JP2 image.

CVE-2026-40310: ImageMagick: Heap out-of-bounds write in JP2 encoder

Affected Software

Remediation

Patch Available

Event History

Don't miss critical vulnerabilities

Frequently Asked Questions

What is the severity of CVE-2026-40310?

How do I fix CVE-2026-40310?

What versions of ImageMagick are affected by CVE-2026-40310?

What type of vulnerability is CVE-2026-40310?

Can CVE-2026-40310 be exploited remotely?

Company

Resources

Contact