CVE-2026-40311: ImageMagick: Heap-use-after-free via XMP profile could result in a crash when printing values

Q: What is the severity of CVE-2026-40311?

CVE-2026-40311 has been classified as a high severity vulnerability due to potential denial of service effects.

Q: How do I fix CVE-2026-40311?

To fix CVE-2026-40311, upgrade ImageMagick to version 7.1.2-19 or 6.9.13-44 or later.

Q: What type of vulnerability is CVE-2026-40311?

CVE-2026-40311 is a heap-use-after-free vulnerability that can cause application crashes.

Q: Which versions of ImageMagick are affected by CVE-2026-40311?

Versions of ImageMagick below 7.1.2-19 and 6.9.13-44 are affected by CVE-2026-40311.

Q: Can CVE-2026-40311 be exploited remotely?

Yes, CVE-2026-40311 can be potentially exploited remotely if crafted XMP profiles are processed.

Published Apr 13, 2026

Updated

An heap use after free when reading an invalid XMP profile could result in a crash due to an heap use after free when printing the values.

Affected Software

17 affected componentsFixes available

ImageMagick ImageMagick<7.1.2-19, <6.9.13-44

nuget/Magick.NET-Q8-x86<14.12.0

14.12.0

nuget/Magick.NET-Q8-arm64<14.12.0

14.12.0

nuget/Magick.NET-Q8-OpenMP-arm64<14.12.0

14.12.0

nuget/Magick.NET-Q8-AnyCPU<14.12.0

14.12.0

nuget/Magick.NET-Q16-x86<14.12.0

14.12.0

nuget/Magick.NET-Q16-arm64<14.12.0

14.12.0

nuget/Magick.NET-Q16-OpenMP-x64<14.12.0

14.12.0

nuget/Magick.NET-Q16-OpenMP-arm64<14.12.0

14.12.0

nuget/Magick.NET-Q16-HDRI-x86<14.12.0

14.12.0

nuget/Magick.NET-Q16-HDRI-x64<14.12.0

14.12.0

nuget/Magick.NET-Q16-HDRI-arm64<14.12.0

14.12.0

nuget/Magick.NET-Q16-HDRI-OpenMP-arm64<14.12.0

14.12.0

nuget/Magick.NET-Q16-HDRI-AnyCPU<14.12.0

14.12.0

nuget/Magick.NET-Q16-AnyCPU<14.12.0

14.12.0

ImageMagick ImageMagick<6.9.13-44

ImageMagick ImageMagick>=7.0.0-0<7.1.2-19

Remediation

Patch Available

https://github.com/ImageMagick/ImageMagick/commit/5facfecf1abb3fed46a08f614dcc43d1e548e20d

Event History

Apr 13, 2026

CVE Published

via MITRE·09:36 PM

Data Sourced

via MITRE·09:36 PM

DescriptionSeverityWeakness

Data Sourced

via NVD·10:16 PM

DescriptionSeverityWeakness

Data Sourced

via NVD·10:16 PM

RemedyAffected Software

Apr 14, 2026

Advisory Published

via GitHub·06:51 PM

Data Sourced

via GitHub·06:51 PM

DescriptionSeverityWeaknessAffected Software

Frequently Asked Questions

What is the severity of CVE-2026-40311?

CVE-2026-40311 has been classified as a high severity vulnerability due to potential denial of service effects.

How do I fix CVE-2026-40311?

To fix CVE-2026-40311, upgrade ImageMagick to version 7.1.2-19 or 6.9.13-44 or later.

What type of vulnerability is CVE-2026-40311?

CVE-2026-40311 is a heap-use-after-free vulnerability that can cause application crashes.

Which versions of ImageMagick are affected by CVE-2026-40311?

Versions of ImageMagick below 7.1.2-19 and 6.9.13-44 are affected by CVE-2026-40311.

Can CVE-2026-40311 be exploited remotely?

Yes, CVE-2026-40311 can be potentially exploited remotely if crafted XMP profiles are processed.

CVE-2026-40311: ImageMagick: Heap-use-after-free via XMP profile could result in a crash when printing values

Affected Software

Remediation

Patch Available

Event History

Don't miss critical vulnerabilities

Frequently Asked Questions

What is the severity of CVE-2026-40311?

How do I fix CVE-2026-40311?

What type of vulnerability is CVE-2026-40311?

Which versions of ImageMagick are affected by CVE-2026-40311?

Can CVE-2026-40311 be exploited remotely?

Company

Resources

Contact