PatchSiren cyber security CVE debrief

CVE-2016-10067 Imagemagick CVE debrief

CVE-2016-10067 is a high-severity ImageMagick flaw that can let a remote attacker crash affected applications. The issue is described as a buffer overflow in magick/memory.c triggered by "too many exceptions," with affected versions prior to 6.9.4-5. The NVD record rates the impact as network-exploitable with no privileges or user interaction required, and availability impact only.

Vendor: Imagemagick
Product: CVE-2016-10067
CVSS: HIGH 7.5
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-03-02
Original CVE updated: 2026-05-13
Advisory published: 2017-03-02
Advisory updated: 2026-05-13

Who should care

Security teams, application owners, and platform teams that deploy or embed ImageMagick—especially in internet-facing services, document/image processing pipelines, and products that bundle the library—should prioritize this issue.

Technical summary

NVD classifies the weakness as CWE-119 and lists the vulnerable CPE range for ImageMagick through 6.9.4-4. The CVSS vector is AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating a remotely reachable crash condition with high availability impact and no confidentiality or integrity impact. The supplied references include a vendor/patch discussion, an issue tracker entry, and an ImageMagick commit reference associated with remediation.

Defensive priority

High for exposed systems that process untrusted images or files. Because exploitation requires only network access and no authentication or interaction, patching should be prioritized ahead of lower-impact local issues.

Recommended defensive actions

Upgrade ImageMagick to 6.9.4-5 or later, or to the vendor-recommended fixed release in your package stream.
Inventory servers, containers, and applications that link against or bundle ImageMagick, including transitive dependencies.
Prioritize patching for internet-facing or automated image-processing workloads that accept untrusted input.
If immediate upgrading is not possible, reduce exposure by limiting where ImageMagick can process external content and isolating affected services.
Validate deployed package versions against the affected range ending at 6.9.4-4.
Monitor for unexpected application crashes in services that parse images or convert media files.

Evidence notes

The description states that magick/memory.c in ImageMagick before 6.9.4-5 can be crashed remotely via vectors involving "too many exceptions," which trigger a buffer overflow. The NVD metadata lists the vulnerable CPE as ImageMagick versions up to and including 6.9.4-4 and assigns CWE-119. Reference links provided by the record include the OSS-security mailing list post, Red Hat Bugzilla entry, and an ImageMagick GitHub commit associated with the fix. CVE publication is 2017-03-02, and the record was later modified on 2026-05-13; use the published date as the issue date.

Official resources

CVE-2016-10067 CVE record
CVE.org
CVE-2016-10067 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Mailing List, Patch, Third Party Advisory
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry
Mitigation or vendor reference
[email protected] - Issue Tracking, Patch, Third Party Advisory, VDB Entry
Mitigation or vendor reference
[email protected] - Patch, Third Party Advisory

Publicly disclosed and recorded in NVD on 2017-03-02. The supplied references include a patch-related mailing list post dated 2016-12-26, indicating remediation discussion before CVE publication. No Known Exploited Vulnerabilities listing,