PatchSiren

PatchSiren cyber security CVE debrief

CVE-2016-7906 Debian CVE debrief

CVE-2016-7906 is a denial-of-service flaw in ImageMagick’s magick/attribute.c caused by a use-after-free. In practical terms, a crafted file can trigger a crash when it is processed by a vulnerable build. NVD assigns a medium severity score (CVSS 5.5) and records a vector that requires user interaction, so the main risk is availability loss in systems that accept untrusted image content.

Vendor
Debian
Product
CVE-2016-7906
CVSS
MEDIUM 5.5
CISA KEV
Not listed in stored evidence
Original CVE published
2017-01-18
Original CVE updated
2026-05-13
Advisory published
2017-01-18
Advisory updated
2026-05-13

Who should care

Teams running ImageMagick directly or through applications, libraries, or services that process user-supplied images; Linux distribution maintainers; and operators of content pipelines, thumbnails, conversion services, or upload handlers that depend on affected ImageMagick builds.

Technical summary

The NVD record identifies CWE-416 (use-after-free) in magick/attribute.c affecting ImageMagick 7.0.3-2. The provided description says a crafted file can cause denial of service, and the CVSS vector indicates AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H. The evidence points to an availability impact rather than confidentiality or integrity loss. References include an upstream ImageMagick patch commit and issue tracker entry, plus distro advisories.

Defensive priority

Medium. This is an availability issue with user interaction required in the NVD vector, but it affects a widely used image-processing component and can be triggered by untrusted file handling.

Recommended defensive actions

  • Upgrade ImageMagick to a version that includes the upstream fix referenced by the vendor advisory and patch commit.
  • Apply your distribution’s security update or backport if you rely on packaged ImageMagick builds.
  • Inventory applications and services that accept untrusted images, since they may inherit the risk even if they do not call ImageMagick directly.
  • Restrict processing of untrusted or malformed image files until patched, especially in upload, preview, conversion, and batch-processing workflows.
  • Monitor for crashes or abnormal termination in image-processing pipelines as a sign of exposure.
  • Validate that downstream packages and container images include the fixed ImageMagick build, not just the upstream source repository.

Evidence notes

Primary evidence comes from the NVD record and linked advisories. The NVD description states that magick/attribute.c in ImageMagick 7.0.3-2 allows remote attackers to cause denial of service via a crafted file, while the NVD CVSS vector is AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H and the weakness is CWE-416. References point to Debian DSA-3726, ImageMagick issue 281, and upstream commit 90406972f108c4da71f998601b06abdc2ac6f06e. Note that the metadata contains a vendor/product naming mismatch: the vendor field says Debian, but the affected software is ImageMagick.

Official resources

Published by NVD on 2017-01-18 and later modified on 2026-05-13 in the supplied record. Use the published date for issue timing; the later modified date reflects record updates, not the vulnerability origin.