CVE-2016-10064 Imagemagick CVE debrief

Who should care

Organizations running ImageMagick in any workflow that processes untrusted TIFF files should review this immediately, especially web services, document pipelines, media conversion jobs, and distro/package maintainers shipping affected ImageMagick builds.

Technical summary

The CVE description identifies a buffer overflow in coders/tiff.c in ImageMagick before 6.9.5-1. NVD maps the issue to CWE-119 and lists vulnerable ImageMagick versions through 6.9.5-0 in the CPE criteria. The stated impact is remote-triggered denial of service via a crafted file, with unspecified additional impact possible. The record also links ImageMagick patch commits and third-party advisories.

Defensive priority

High. The CVSS score is 7.8 (HIGH), and the weakness affects file parsing code that may be exposed to attacker-controlled input.

Recommended defensive actions

• Upgrade ImageMagick to a fixed release at or beyond the version indicated in the CVE description (6.9.5-1 or later).
• Treat any application that accepts user-supplied TIFF content as potentially exposed until patched.
• Verify vendor/package backports if you rely on distro-provided ImageMagick builds; do not assume the package version string alone proves the fix.
• Review adjacent image-processing services for crash monitoring and input validation controls.
• Use the linked vendor and distribution advisories to confirm whether your deployment is covered by a patch or backport.

Evidence notes

Source references include the CVE record, NVD detail, ImageMagick patch commits, a Red Hat bug report, an openSUSE advisory, and an oss-security mailing list post. The narrative description says the issue exists before 6.9.5-1, while NVD CPE criteria mark ImageMagick vulnerable through 6.9.5-0; both are included here as supplied source data. NVD assigns CVSS v3.1 vector CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H and CWE-119.

Official resources