PatchSiren

PatchSiren cyber security CVE debrief

CVE-2016-10061 Imagemagick CVE debrief

CVE-2016-10061 is a denial-of-service flaw in ImageMagick’s TIFF/GROUP4 handling. A crafted image can trigger a crash in ReadGROUP4Image because the code did not check the return value of fputc, affecting older ImageMagick releases before the fixed versions listed by NVD.

Vendor
Imagemagick
Product
Unknown
CVSS
MEDIUM 6.5
CISA KEV
Not listed in stored evidence
Original CVE published
2017-03-03
Original CVE updated
2026-05-13
Advisory published
2017-03-03
Advisory updated
2026-05-13

Who should care

Teams that run ImageMagick in any path that accepts untrusted images, especially upload, preview, thumbnail, and document-conversion services. This matters most where TIFF or fax/GROUP4 content can be supplied by users or external systems.

Technical summary

According to NVD, the flaw is in ReadGROUP4Image in coders/tiff.c and is classified as CWE-252 (Unchecked Return Value). The issue can be triggered by a crafted image file and results in denial of service through a process crash. NVD’s CVSS 3.1 vector is AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H, so exploitation requires user interaction with the malicious file but does not require privileges.

Defensive priority

Medium overall; higher priority if ImageMagick is exposed to untrusted files or runs in an internet-facing processing pipeline.

Recommended defensive actions

  • Upgrade ImageMagick to a fixed release: at least 6.9.4-8 for the affected 6.x branch or 7.0.1-10 for the 7.x branch, per NVD CPE criteria.
  • Inventory systems that invoke ImageMagick directly or through libraries, and confirm whether they can receive attacker-controlled TIFF/GROUP4 images.
  • If immediate upgrading is not possible, isolate image-processing workloads and treat all external image content as untrusted input.
  • Monitor for worker crashes or service restarts in image-conversion components, which may indicate attempted triggering of the flaw.

Evidence notes

The debrief is based on the supplied NVD record and CVE metadata. NVD identifies the weakness as CWE-252 and provides the CVSS 3.1 vector AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H. The supplied references include the Openwall oss-security post, Red Hat Bugzilla entry, ImageMagick GitHub issue, and the related GitHub commit, all of which are patch/advisory trail points in the source corpus.

Official resources

CVE-2016-10061 was published in the CVE/NVD record on 2017-03-03. The supplied NVD record was last modified on 2026-05-13. No CISA KEV entry is provided in the supplied data.