PatchSiren

PatchSiren cyber security CVE debrief

CVE-2016-7101 Imagemagick CVE debrief

CVE-2016-7101 affects ImageMagick’s SGI coder and can be triggered by a remote attacker supplying a crafted SGI file with a large row value. The issue is an out-of-bounds read (CWE-125) and is scored as CVSS 6.5 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H), indicating a user must interact with the file but the outcome can still be service disruption. NVD lists vulnerable ImageMagick versions before 6.9.5-8 and 7.0.0-0 through before 7.0.2-10.

Vendor
Imagemagick
Product
CVE-2016-7101
CVSS
MEDIUM 6.5
CISA KEV
Not listed in stored evidence
Original CVE published
2017-01-18
Original CVE updated
2026-05-13
Advisory published
2017-01-18
Advisory updated
2026-05-13

Who should care

Teams that run ImageMagick directly, or indirectly through applications and services that accept user-supplied images, should care most. This is especially relevant for environments that process SGI files from untrusted sources, such as upload pipelines, media services, document conversion systems, and server-side thumbnailing jobs.

Technical summary

The NVD description states that the SGI coder in ImageMagick before 7.0.2-10 can be driven into an out-of-bounds read by a large row value in an SGI file, causing denial of service. The mapped weakness is CWE-125. NVD’s affected CPE ranges identify versions before 6.9.5-8 and 7.0.0-0 through before 7.0.2-10 as vulnerable. The CVSS vector includes UI:R and A:H, so exploitation requires a victim to process the file, but successful exploitation can still interrupt availability.

Defensive priority

Medium

Recommended defensive actions

  • Upgrade ImageMagick to a fixed release at or beyond the NVD-listed remediation boundary (7.0.2-10 or later; and for the older branch, a version at or beyond 6.9.5-8).
  • Inventory all deployments and embedded copies of ImageMagick to identify any vulnerable versions in servers, desktop tools, CI/CD images, and application dependencies.
  • Restrict or pre-validate SGI image uploads and convert untrusted files in controlled, isolated processing environments.
  • Monitor image-processing services for crashes, parser errors, or repeated failures tied to SGI input.
  • If immediate upgrading is not possible, reduce exposure by disabling SGI handling where operationally feasible and by limiting who can supply image files.

Evidence notes

Source evidence comes from the NVD CVE record and its referenced advisories/patches. NVD describes the issue as an SGI coder out-of-bounds read leading to denial of service, assigns CWE-125, and lists the vulnerable version ranges. Referenced supporting material includes the Openwall oss-security post, Debian bug tracker entry, and ImageMagick GitHub commits linked from the NVD record.

Official resources

CVE published by NVD on 2017-01-18. This debrief uses the CVE publication date for timing context; later NVD modification metadata does not change the original issue date.