CVE-2016-10066 Imagemagick CVE debrief

Who should care

Operators and developers who use ImageMagick to process user-supplied images, especially web services, document pipelines, thumbnailers, and content ingestion systems that may accept VIFF files.

Technical summary

NVD describes a buffer overflow in coders/viff.c:ReadVIFFImage in ImageMagick before 6.9.4-5. The vulnerable condition is reachable through a crafted file and is classified by NVD with CWE-120. The NVD CVSS vector (AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) indicates an availability impact with user interaction required, so the practical risk is highest where the application opens attacker-controlled files during normal workflows.

Defensive priority

Medium

Recommended defensive actions

• Upgrade ImageMagick to 6.9.4-5 or later, or the vendor-fixed version in your distribution.
• If VIFF support is not needed, remove or disable processing of VIFF files in exposed workflows.
• Treat all image uploads and conversions as untrusted input and isolate ImageMagick in least-privilege, sandboxed, or containerized execution.
• Add monitoring for unexpected crashes in image-processing services and review any file-type allowlists that may permit VIFF.
• Verify downstream packages and bundled copies of ImageMagick, since vulnerable versions may be embedded in applications or platform images.

Evidence notes

The vulnerability and version cutoff come from the NVD record for CVE-2016-10066, which lists the affected CPE range as ImageMagick through 6.9.4-4 and cites CWE-120. The record references an oss-security mailing list disclosure from 2016-12-26, a Red Hat bug tracker entry, and ImageMagick GitHub commits associated with the fix. The CVE was published on 2017-03-03; the later modified date reflects database updates, not a new issue date.

Official resources