PatchSiren

PatchSiren cyber security CVE debrief

CVE-2016-6823 Imagemagick CVE debrief

CVE-2016-6823 is a high-severity ImageMagick BMP parsing vulnerability. A crafted BMP with attacker-controlled height and width values can trigger an integer overflow in the BMP coder, leading to an out-of-bounds write and a crash. NVD rates the issue as network-exploitable with no privileges or user interaction required, and classifies the weakness as CWE-190. The NVD record was published on 2017-01-18 and later modified on 2026-05-13.

Vendor
Imagemagick
Product
CVE-2016-6823
CVSS
HIGH 7.5
CISA KEV
Not listed in stored evidence
Original CVE published
2017-01-18
Original CVE updated
2026-05-13
Advisory published
2017-01-18
Advisory updated
2026-05-13

Who should care

Teams that process untrusted BMP images with ImageMagick should care most, especially internet-facing upload, thumbnailing, conversion, or document-processing services. Security responders should also check packaged or embedded ImageMagick deployments in applications and serverless/image-processing pipelines.

Technical summary

NVD describes an integer overflow in the BMP coder caused by crafted height and width values. The overflow can lead to an out-of-bounds write and denial of service via crash. NVD’s CVSS 3.1 vector is AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating remote exploitation is feasible without authentication or user interaction, but the primary impact is availability. NVD’s affected-version criteria include ImageMagick before 6.9.10-50 and 7.0.0-0 through 7.0.2-9, with the description also stating remediation before 7.0.2-10.

Defensive priority

High for any environment that accepts or transforms external BMP files. The main risk is service disruption from a crash, but the unauthenticated remote attack path makes this a priority for exposed image-processing services.

Recommended defensive actions

  • Upgrade ImageMagick to a fixed release that is outside the affected version ranges identified by NVD.
  • Confirm deployed package versions against both affected branches: before 6.9.10-50 and 7.0.0-0 through 7.0.2-9.
  • Apply vendor or downstream patches where full version upgrades are not immediately possible.
  • Restrict or sandbox image parsing workloads that handle untrusted files.
  • Add file-type and dimension validation at upload or ingestion points before handing content to ImageMagick.
  • Monitor application and worker crash logs for repeated BMP-related failures and restart loops.

Evidence notes

This debrief is based on the supplied NVD record and linked references only. NVD lists CVE-2016-6823 as a CWE-190 integer overflow in ImageMagick’s BMP coder, with CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. The record’s CPE criteria identify vulnerable ImageMagick ranges ending before 6.9.10-50 and before 7.0.2-10 on the 7.x line. Supporting references include an oss-security mailing list thread, a Debian bug report, and the upstream ImageMagick patch commit.

Official resources

NVD published the CVE record on 2017-01-18 and later modified it on 2026-05-13. The reference set points to an oss-security mailing list thread, a Debian bug report, and the upstream ImageMagick patch commit, indicating public advisory and修