PatchSiren cyber security CVE debrief

CVE-2016-8693 Fedoraproject CVE debrief

CVE-2016-8693 describes a double-free in JasPer's mem_close logic that can be triggered by a crafted BMP image handled by the imginfo command. The published record ties the flaw to denial of service and possible code execution, and downstream advisories show it was handled through vendor package updates.

Vendor: Fedoraproject
Product: CVE-2016-8693
CVSS: HIGH 7.8
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-02-15
Original CVE updated: 2026-05-13
Advisory published: 2017-02-15
Advisory updated: 2026-05-13

Who should care

Security teams, Linux distribution maintainers, and application owners using JasPer/libjasper or imginfo to process untrusted BMP files should care most, especially where image parsing is exposed to user-supplied content.

Technical summary

The vulnerability is a double free in mem_close within jas_stream.c in JasPer. According to the supplied record, JasPer versions before 1.900.10 are affected, and the issue can be reached through a crafted BMP image processed by imginfo. The impact is crash/denial of service, with the public description also warning of possible arbitrary code execution. The NVD record in the supplied corpus uses a CVSS 3.0 vector of AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H and lists CWE-415 (Double Free).

Defensive priority

High priority for any environment that processes untrusted images with JasPer, especially if older packaged versions remain deployed or image conversion is part of a server-side workflow.

Recommended defensive actions

Upgrade JasPer to a fixed release at or beyond 1.900.10, or install the vendor-backed package update for your distribution.
Apply downstream security advisories and rebuild any packages that bundle or link against affected JasPer libraries.
Audit systems that run imginfo or similar image-parsing tools against untrusted BMP input and reduce exposure where possible.
Add crash monitoring and alerting around image-processing jobs so unexpected failures are detected quickly.
Verify package versions against your distribution's security notices before marking affected systems remediated.

Evidence notes

The supplied CVE record was published on 2017-02-15 and later modified on 2026-05-13; that later timestamp reflects metadata updates, not the original issue date. The description names JasPer before 1.900.10 and the trigger as a crafted BMP image for imginfo. The supplied reference set includes the upstream patch commit, a Gentoo technical write-up dated 2016-10-16, and downstream advisories from openSUSE, Debian, Red Hat, Fedora, and others. The NVD CPE criteria in the supplied record also enumerate affected downstream package contexts, including jasper_project:jasper and distro package entries.

Official resources

CVE-2016-8693 CVE record
CVE.org
CVE-2016-8693 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Third Party Advisory
Source reference
[email protected]
Mitigation or vendor reference
[email protected] - Mailing List, Third Party Advisory
Mitigation or vendor reference
[email protected] - Mailing List, Third Party Advisory
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry
Source reference
[email protected]
Mitigation or vendor reference
[email protected] - Exploit, Patch, Third Party Advisory, VDB Entry

CVE-2016-8693 was published by NVD/CVE.org on 2017-02-15. The record's 2026-05-13 modified date is a metadata update and should not be treated as the vulnerability's discovery or disclosure date.