CVE-2016-8690 Fedoraproject CVE debrief

Who should care

Teams that ship, package, or use JasPer to inspect or convert untrusted BMP images, especially distributions and applications that expose imginfo or similar parsing workflows to user-supplied files.

Technical summary

The vulnerability is in bmp_getdata within libjasper/bmp/bmp_dec.c. According to the record, JasPer versions before 1.900.5 can dereference a NULL pointer when handling a crafted BMP image, leading to a crash/DoS. The NVD entry maps the weakness to CWE-476 and assigns CVSS 3.0 vector AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H, indicating a user-interaction-dependent availability issue. The corpus also includes vendor and downstream references, including a patch commit and distribution advisories.

Defensive priority

Medium. This is a service-stability issue, not a privilege-escalation or code-execution issue, but it can still be disruptive if your environment processes untrusted images automatically or at scale.

Recommended defensive actions

• Update JasPer to a fixed release at or above 1.900.5, or apply the referenced upstream patch if you maintain a downstream build.
• Inventory applications and pipelines that use JasPer BMP parsing, including imginfo and any file-validation or thumbnailing workflows.
• Restrict or sandbox image-processing components that accept untrusted uploads.
• Monitor for parser crashes or repeated service restarts that could indicate malformed-image handling problems.
• If you package JasPer in a distribution, confirm your vendor advisory/errata includes the fix before release.

Evidence notes

Grounded in the NVD CVE record and linked references. The description states a crafted BMP image can trigger a NULL pointer dereference in bmp_getdata, and the record lists JasPer versions before 1.900.5 as affected. Reference timestamps show the issue was discussed in 2016, while the CVE record was published on 2017-02-15 and later modified on 2026-05-13. No exploit code or reproduction steps are included here.

Official resources