PatchSiren

PatchSiren cyber security CVE debrief

CVE-2016-7564 Artifex CVE debrief

CVE-2016-7564 affects Artifex MuJS and is described as a heap-based buffer overflow in Fp_toString within jsfunction.c. The practical impact called out in the source corpus is denial of service through a crash when processing crafted input. Because the NVD vector is network-reachable, unauthenticated, and requires no user interaction, exposed MuJS deployments should treat this as a high-priority stability issue.

Vendor
Artifex
Product
CVE-2016-7564
CVSS
HIGH 7.5
CISA KEV
Not listed in stored evidence
Original CVE published
2017-01-18
Original CVE updated
2026-05-13
Advisory published
2017-01-18
Advisory updated
2026-05-13

Who should care

Teams that embed or ship MuJS, especially products that parse untrusted or remotely supplied JavaScript-related input. Operators running internet-facing services should care most because the CVSS vector indicates network attackability with no privileges or user interaction required.

Technical summary

NVD classifies this issue as CWE-119 (improper restriction of operations within the bounds of a memory buffer). The vulnerability is a heap-based buffer overflow in the Fp_toString function in jsfunction.c. NVD rates it CVSS 3.0 7.5 HIGH with AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, which aligns with a crash-oriented denial-of-service impact rather than a confidentiality or integrity impact in the supplied record.

Defensive priority

High. The combination of network attackability, no authentication, no user interaction, and availability impact makes this worth prompt remediation wherever MuJS is reachable from untrusted input.

Recommended defensive actions

  • Inventory all applications and appliances that bundle or embed MuJS.
  • Determine whether any exposed service processes attacker-controlled or remotely supplied input through MuJS.
  • Apply the vendor's remediation or upgrade path referenced in the official advisories and NVD record as soon as it is available in your environment.
  • If immediate patching is not possible, reduce exposure by removing or restricting untrusted input paths that reach MuJS.
  • Monitor for abnormal process crashes or restarts in services that use MuJS, since the documented impact is denial of service.
  • Validate that downstream packages, embedded SDKs, and forked builds have also been updated, not just the primary application.

Evidence notes

The source corpus states: 'Heap-based buffer overflow in the Fp_toString function in jsfunction.c in Artifex Software MuJS allows attackers to cause a denial of service (crash) via crafted input.' NVD further maps the issue to CWE-119 and provides the CVSS 3.0 vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. Linked references include two oss-security mailing list posts from 2016-09-21 and 2016-09-28 plus a Ghostscript bug tracker entry marked 'Exploit, Issue Tracking'. No exploit steps or weaponized details are included here.

Official resources

The CVE was published in NVD/CVE records on 2017-01-18. The linked oss-security discussion references date to 2016-09-21 and 2016-09-28, indicating earlier public discussion before the CVE publication date. NVD shows the record as modified