CVE-2016-5240 Graphicsmagick CVE debrief

Who should care

Operators of image-processing pipelines that accept untrusted SVG input, especially services running GraphicsMagick or ImageMagick for uploads, thumbnailing, document conversion, or batch rendering.

Technical summary

The primary effect is availability loss from an infinite loop in SVG processing. NVD lists the affected GraphicsMagick range as versions up to and including 1.3.23, with a CVSS 3.0 vector of AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H and weakness CWE-20. The prose description says remote attackers can cause the hang by supplying a circularly defined SVG file, so the corpus contains a wording mismatch between the narrative and the CVSS attack-vector assessment.

Defensive priority

Medium

Recommended defensive actions

• Upgrade GraphicsMagick to 1.3.24 or later, or confirm your packaged build includes the fix.
• If you use ImageMagick SVG rendering, verify you are on a patched release and retest untrusted SVG handling.
• Block or sanitize SVG content with circular or recursive references before conversion.
• Run image conversion workers with CPU, memory, and wall-clock time limits so a hung job cannot exhaust the host.
• Monitor for stalled conversion tasks and automatically terminate or restart workers that exceed a safe timeout.

Evidence notes

The debrief is based on the NVD CVE record published on 2017-02-27 and its official references. NVD’s CPE criteria scope GraphicsMagick through 1.3.23, and the record lists CWE-20 plus a CVSS 3.0 vector indicating high availability impact. The reference set includes the GraphicsMagick changelog, a Debian security advisory, and oss-security discussion links from 2016. The corpus also contains a textual scope mismatch: the description mentions ImageMagick’s SVG renderer, while the CPE criteria point to GraphicsMagick.

Official resources