ImageMagick Heap Use-After-Free Vulnerability (CVE-2026-40311) Exposes Software to Crashes

A newly disclosed vulnerability in the widely used ImageMagick software, tracked as CVE-2026-40311, exposes systems to potential crashes due to a heap use-after-free flaw. The vulnerability, with a CVSS score of 5.5 (Medium severity), resides in the software's handling of XMP profiles. Specifically, reading and printing values from an invalid XMP profile can trigger the use-after-free condition, leading to a denial-of-service scenario by crashing the application. This flaw affects all versions of ImageMagick below 6.9.13-44 and 7.1.2-19.

The vulnerability is classified under CWE-416 (Use After Free) and CWE-693 (Protection Mechanism Failure). The issue has been addressed by the ImageMagick development team. Patches are available in the released versions 6.9.13-44 and 7.1.2-19. The fix was implemented in a specific commit to the project's GitHub repository, and corresponding updates have been issued for related projects like Magick.NET (version 14.12.0). A GitHub Security Advisory (GHSA-r83h-crwp-3vm7) has been published detailing the security flaw.

While the immediate risk is application instability and crashes, the presence of a use-after-free flaw often represents a more serious underlying risk. Such memory corruption vulnerabilities can, in some cases, be leveraged as a stepping stone for further exploitation, though no such proof-of-concept is currently indicated. System administrators and developers relying on ImageMagick for image processing must prioritize applying the available patches to mitigate this denial-of-service risk and harden their software supply chain against potential future exploitation paths.