PatchSiren cyber security CVE debrief

CVE-2016-10063 Imagemagick CVE debrief

CVE-2016-10063 describes a buffer overflow in ImageMagick’s TIFF coder (coders/tiff.c) affecting versions before 6.9.5-1. According to the NVD summary, a crafted file can trigger a denial of service (application crash) and may have other unspecified impact. NVD classifies the weakness as CWE-119 and rates the issue HIGH with a CVSS 3.1 score of 7.8.

Vendor: Imagemagick
Product: CVE-2016-10063
CVSS: HIGH 7.8
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-03-02
Original CVE updated: 2026-05-13
Advisory published: 2017-03-02
Advisory updated: 2026-05-13

Who should care

Teams that run ImageMagick in production, especially services that accept or transform untrusted TIFF images such as upload pipelines, document conversion systems, thumbnailing services, and CI/CD or batch-processing environments.

Technical summary

NVD’s record identifies a buffer overflow in ImageMagick’s coders/tiff.c related to extend validity, with affected versions ending at 6.9.5-0 and a fixed version noted as 6.9.5-1. The vulnerability is mapped to CWE-119 (memory corruption). The published CVSS vector is CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, and the prose description says a crafted file can cause application crash or other unspecified impact.

Defensive priority

High for any environment that processes untrusted TIFF input. The issue has a patch reference and an affected-version boundary in NVD, so upgrading should be prioritized over compensating controls alone.

Recommended defensive actions

Upgrade ImageMagick to 6.9.5-1 or a newer fixed release, or use a vendor backport that includes the referenced fix.
Review all places where ImageMagick processes user-supplied or externally sourced TIFF files, including web upload paths and automated conversion jobs.
Temporarily reduce exposure by restricting TIFF handling where practical, especially for untrusted files, until patched.
Validate patched deployments with normal image-processing test cases to confirm the fix did not break expected workflows.
Track downstream distribution advisories or bug trackers for backported fixes if you rely on packaged ImageMagick builds.

Evidence notes

The CVE record and NVD detail identify the issue as a TIFF-related buffer overflow in ImageMagick before 6.9.5-1, with affected CPE criteria ending at 6.9.5-0. NVD lists CWE-119 and the CVSS 3.1 vector AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. Supporting references include an Openwall oss-security post, a Red Hat Bugzilla entry, and two ImageMagick GitHub commits referenced as patches in the NVD metadata.

Official resources

CVE-2016-10063 CVE record
CVE.org
CVE-2016-10063 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Mailing List, Patch, Third Party Advisory
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry
Mitigation or vendor reference
[email protected] - Issue Tracking, Patch, Third Party Advisory, VDB Entry
Mitigation or vendor reference
[email protected] - Patch, Third Party Advisory
Mitigation or vendor reference
[email protected] - Patch, Vendor Advisory

The CVE was published in the official record on 2017-03-02. The NVD reference list also points to an Openwall oss-security post dated 2016-12-26 and upstream patch commits, indicating the fix and advisory trail were already public before NV