PatchSiren

PatchSiren cyber security CVE debrief

CVE-2016-10071 Imagemagick CVE debrief

CVE-2016-10071 is a denial-of-service issue in ImageMagick’s MAT file parser. The vulnerability is described as an out-of-bounds read in coders/mat.c that can crash the application when a crafted MAT file is processed. NVD maps the affected range to ImageMagick versions through 6.9.3-10, and the CVE description states the issue is fixed before 6.9.4-0. The NVD CVSS vector is AV:L/AC:L/PR:N/UI:R/A:H, so defenders should treat this as a high-availability-impact parsing bug that requires a user to open or otherwise process attacker-controlled content.

Vendor
Imagemagick
Product
CVE-2016-10071
CVSS
MEDIUM 5.5
CISA KEV
Not listed in stored evidence
Original CVE published
2017-03-02
Original CVE updated
2026-05-13
Advisory published
2017-03-02
Advisory updated
2026-05-13

Who should care

Teams that use ImageMagick to process untrusted images or document assets, especially desktop workflows, upload pipelines, thumbnailing services, and applications that open MAT files on behalf of users.

Technical summary

The flaw is in ImageMagick’s MAT coder (coders/mat.c). A crafted MAT file can trigger an out-of-bounds read, leading to an application crash. NVD assigns CWE-125 (out-of-bounds read). The CVE description says the issue affects ImageMagick before 6.9.4-0, while the NVD CPE range marks versions through 6.9.3-10 as vulnerable. The published CVSS vector is CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H, which indicates user interaction is needed and the main impact is availability.

Defensive priority

Medium. This is a patch-available availability issue with user-interaction requirements and no evidence in the supplied corpus of active exploitation or KEV listing.

Recommended defensive actions

  • Upgrade ImageMagick to a version that includes the fix for CVE-2016-10071, or backport the referenced patches if you must remain on an affected branch.
  • Inventory systems that can process MAT files and identify any installations at or below the affected version range (through 6.9.3-10 per NVD).
  • Treat MAT files from untrusted sources as risky inputs and limit where ImageMagick is allowed to parse them.
  • Prioritize remediation in applications where a crash would interrupt customer-facing workflows or batch processing.
  • Use the vendor and issue-tracking references to confirm the exact fixed release in your packaging environment and verify the patch is present after upgrade.

Evidence notes

The debrief is based on the NVD CVE record and the linked patch/advisory references. Source data states: a crafted MAT file can cause an out-of-bounds read and application crash; ImageMagick versions before 6.9.4-0 are affected; NVD’s vulnerable CPE range ends at 6.9.3-10; the weakness is CWE-125; and the CVSS vector is AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H. The record was published on 2017-03-02 and last modified on 2026-05-13; that modified timestamp is not the issue date.

Official resources

Published by NVD on 2017-03-02T21:59:00.600Z. The NVD record was last modified on 2026-05-13T00:24:29.033Z. The supplied source references include a December 26, 2016 oss-security post and ImageMagick patch commits.