PatchSiren cyber security CVE debrief

CVE-2016-7996 Graphicsmagick CVE debrief

CVE-2016-7996 is a critical memory-safety flaw in GraphicsMagick’s WPG format reader. According to the NVD record, the issue affects GraphicsMagick 1.3.25 and earlier and can be triggered remotely by a crafted WPG image containing a colormap with a large number of entries. Because the flaw is a heap-based buffer overflow and the CVSS vector is network-exploitable with no privileges or user interaction, this should be treated as a high-priority patching item for any environment that processes untrusted image files.

Vendor: Graphicsmagick
Product: CVE-2016-7996
CVSS: CRITICAL 9.8
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-01-18
Original CVE updated: 2026-05-13
Advisory published: 2017-01-18
Advisory updated: 2026-05-13

Who should care

Administrators and developers running GraphicsMagick, especially services or applications that accept or transform user-supplied WPG images. Debian or other downstream package maintainers should also confirm that their packaged GraphicsMagick builds include the fix referenced by the security advisories.

Technical summary

NVD classifies the weakness as CWE-119 and describes a heap-based buffer overflow in the WPG reader. The overflow is associated with processing a colormap that contains a large number of entries. The CVSS 3.0 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) indicates remote exploitation is possible without authentication or user interaction and could affect confidentiality, integrity, and availability.

Defensive priority

Urgent. The combination of network reachability, no user interaction, and critical CVSS severity makes this a priority for immediate patch validation and deployment in any system that parses untrusted WPG content.

Recommended defensive actions

Upgrade GraphicsMagick to a version newer than 1.3.25 that includes the vendor or downstream fix.
Confirm that all packaged or embedded GraphicsMagick instances in applications and containers are updated, not just the system package.
Treat WPG files from untrusted sources as risky input until patched; isolate image-processing workflows where practical.
Review Debian or other downstream security guidance referenced by the CVE record to verify distribution-specific fixed builds.
Add regression tests or file-handling validation around image import paths that process WPG colormaps.

Evidence notes

This debrief is based on the NVD CVE record and its references. The supplied record states: heap-based buffer overflow in the WPG format reader; affected versions are GraphicsMagick 1.3.25 and earlier; trigger condition is a colormap with a large number of entries; and the weakness is CWE-119. The record also provides the CVSS 3.0 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. Reference metadata includes a Debian security advisory, two oss-security mailing list entries, and a SecurityFocus advisory entry.

Official resources

CVE-2016-7996 CVE record
CVE.org
CVE-2016-7996 NVD detail
NVD
Source item URL
nvd_modified
Source reference
[email protected]
Mitigation or vendor reference
[email protected] - Mailing List, Patch, Third Party Advisory
Mitigation or vendor reference
[email protected] - Mailing List, Third Party Advisory
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry

Public record dates supplied for this CVE show initial publication on 2017-01-18 and a later record modification on 2026-05-13. The CVE metadata also references October 2016 mailing-list and Debian security materials, which provide context,