CVE-2026-40311: Heap Use-After-Free in ImageMagick XMP Profile Parsing

ImageMagick is a core image processing library utilized extensively across software ecosystems and web applications. The software implements an Extensible Metadata Platform (XMP) parser to handle embedded image properties and profile data. This functionality processes hierarchical metadata structures embedded within supported image formats to extract tags and color profiles.

CVE-2026-40311 identifies a heap-based use-after-free (UAF) vulnerability within this XMP profile parsing subsystem. The vulnerability specifically affects the GetXMPProperty function located in the MagickCore/property.c source file. The flaw emerges during the processing of specially crafted or malformed XMP profiles containing conflicting or overlapping property tags.

The vulnerability is formally classified under CWE-416 (Use After Free) and CWE-693 (Protection Mechanism Failure). It requires user interaction, specifically the processing of a maliciously constructed image file by the target application. Successful exploitation primarily results in application crashes and denial of service due to heap memory corruption.

The attack surface includes any application exposing ImageMagick processing to untrusted inputs. Automated media transcoders, web application upload handlers, and server-side image scaling utilities are standard targets for this class of vulnerability.

The root cause of CVE-2026-40311 lies in improper memory ownership transfer within ImageMagick's splay tree implementation. The application utilizes a splay tree data structure to store and manage parsed image properties for rapid retrieval. When the XMP parser iterates through metadata nodes, it extracts tags into a local heap-allocated buffer.

In vulnerable versions, the parser passes this local heap buffer directly to the AddValueToSplayTree function. The splay tree implementation assumes total ownership of the provided key pointer upon insertion. If the tree already contains a property node matching the new key, the existing node's key pointer is freed and replaced with the newly provided pointer to maintain uniqueness.

A use-after-free condition materializes when the parsing loop continues to track, reference, or modify the original pointer after the splay tree has deallocated it. The local loop logic remains unaware that the underlying memory has been freed by the splay tree. Subsequent operations on this dangling pointer corrupt the heap state.

The vulnerability relies on this desynchronization between the local execution scope and the global data structure's memory allocator. The splay tree functions correctly according to its contract, but the caller (GetXMPProperty) violates memory safety by retaining a reference to transferred memory.

The vulnerability is located in the interaction between the property extraction loop and the splay tree population logic within MagickCore/property.c. Prior to the fix, the code passed mutable pointers directly into the tree without enforcing strict memory separation. The local loop maintained a reference to the property variable while delegating its lifecycle management to the tree structure.

Commit 5facfecf1abb3fed46a08f614dcc43d1e548e20d introduces several structural changes to rectify the memory management flaw. The primary fix enforces strict separation of memory ownership. The parser now creates an explicit, isolated copy of the string data using the ConstantString() allocation function before passing the value to the splay tree.

The patch implements explicit deallocation for the local buffer and introduces structural validation for the XMP tags. This combination ensures that the parser strictly manages its own memory scope while preventing structurally invalid keys from reaching the tree logic.

/* Patched implementation in MagickCore/property.c */
property=ConstantString(GetXMLTreeTag(node));
(void) SubstituteString(&property,"exif:","xmp:");
property_length=strlen(property);
 
/* Structural validation prevents malformed namespace processing */
if ((property_length > 2) && (*(property+(property_length-2)) != ':') ||
    (*(property+(property_length-1)) != '*'))
{
    /* ConstantString ensures the splay tree manages an independent memory copy */
    (void) AddValueToSplayTree((SplayTreeInfo *) image->properties,
        ConstantString(property),ConstantString(content));
}
 
/* Explicit cleanup of the local pointer prevents dangling references */
property=DestroyString(property);

The patch resolves the use-after-free by decoupling the lifecycle of the local loop buffer from the memory managed by the splay tree. The structural validation step further restricts the processing of anomalous tags ending in :* or extremely short tags, effectively narrowing the attack surface for future namespace parsing flaws.

Exploitation of CVE-2026-40311 requires an attacker to construct an image file containing a maliciously engineered XMP profile. The profile must include specific sequences of duplicate or overlapping metadata tags designed to manipulate the splay tree's replacement logic. The attacker must then deliver this file to a system processing images with a vulnerable version of ImageMagick.

The execution trigger relies on the application attempting to access the stored metadata. Operations that invoke ImageMagick's property printing or exporting routines, such as executing the identify -verbose command, force the application to traverse the corrupted splay tree. During traversal, the program dereferences the dangling pointer stored in the previously modified tree node.

Since the underlying memory has been freed and potentially reallocated by subsequent heap operations, the read operation yields corrupted data or attempts to access unmapped memory pages. This produces an immediate segmentation fault (SIGSEGV). The process crash disrupts the service handling the image processing pipeline.

There are currently no public proof-of-concept exploits that leverage this vulnerability for arbitrary code execution. Achieving arbitrary code execution from a read-based use-after-free requires precise heap grooming to control the contents of the reallocated chunk, followed by a mechanism to redirect execution flow based on the corrupted data read.

The primary operational impact of this vulnerability is localized denial of service (DoS). Applications and services that automatically process user-supplied images using ImageMagick are vulnerable to targeted crashes. This includes web application upload handlers, automated media transcoders, and backend batch processing scripts.

The Common Vulnerability Scoring System (CVSS) v3.1 metric evaluates this flaw at 5.5 (Medium severity). The corresponding vector CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H reflects the requirement for user interaction, specifically the processing of a maliciously submitted file, combined with the high impact on process availability. Confidentiality and integrity impacts are assessed as none in the current exploit landscape.

The Exploit Prediction Scoring System (EPSS) assigns a probability of 0.00015 (3.18th percentile), indicating a very low likelihood of active exploitation in the wild. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog. The complex nature of heap manipulation required for code execution makes widespread weaponization highly difficult.

Repeated exploitation attempts against an automated processing queue can lead to resource exhaustion or sustained service degradation. If a vulnerable worker node continuously pulls and crashes on the same malicious image, the processing pipeline halts, leading to broader system outages.

The definitive remediation for CVE-2026-40311 is updating the ImageMagick suite and its dependent libraries to patched versions. Administrators must deploy ImageMagick version 7.1.2-19 or 6.9.13-44. Development teams utilizing the Magick.NET wrapper must upgrade to version 14.12.0 or later to inherit the upstream security fixes.

In environments where immediate patching is unfeasible, operators should implement robust input validation and sanitization measures. Web applications handling user uploads should strip XMP and Exif metadata from images using isolated preprocessing pipelines before passing files to ImageMagick. Utilizing tools like exiftool to sanitize metadata removes the attack vector entirely.

Security monitoring solutions should track application logs for unexpected termination events. Frequent segmentation faults originating from the identify binary or processes loading libMagickCore indicate potential exploitation attempts or the presence of malformed image processing jobs. Alerting on SIGSEGV events associated with image processing binaries provides early warning of targeted denial-of-service activity.

System hardening practices, such as running image processing routines in restricted containerized environments or implementing strict memory limits, mitigate the blast radius of crashes. Ensuring processes restart cleanly and isolate failed jobs prevents a single malformed file from permanently halting a multi-tenant processing queue.