CVE-2016-7563 Artifex CVE debrief

Who should care

Organizations that ship, embed, or depend on Artifex MuJS should care, especially if MuJS is used to process untrusted or externally supplied input. Security teams responsible for application runtimes, document-processing pipelines, or products that parse user-controlled content should prioritize review.

Technical summary

NVD lists this as CVSS 3.0 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H with CWE-125. The affected area is the chartorune function in MuJS, where an input ending with * can trigger an out-of-bounds read. The primary impact described in the source is denial of service.

Defensive priority

High for exposed or internet-facing deployments that accept untrusted input; moderate for internal-only deployments. The vulnerability is availability-only, but it is reachable without authentication and without user interaction, so exposed parsers should be reviewed promptly.

Recommended defensive actions

• Identify whether any products, packages, or services include Artifex MuJS.
• Check whether untrusted input can reach MuJS parsing or tokenization paths, especially around chartorune handling.
• Upgrade to a vendor-fixed MuJS version if one is available from your supplier or downstream package maintainer.
• Apply downstream security updates from your OS or application vendor as soon as they are published.
• If immediate remediation is not possible, reduce exposure by limiting untrusted input paths that invoke MuJS.

Evidence notes

NVD states: affected product Artifex MuJS; weakness CWE-125; CVSS vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. The supplied description says chartorune allows denial of service via an out-of-bounds read when a * appears at the end of input. The source references include oss-security mailing list posts from 2016-09-21 and 2016-09-28 and a Ghostscript bug tracker entry.

Official resources