CVE-2016-7799 Imagemagick CVE debrief

Who should care

Administrators, developers, and package maintainers who deploy ImageMagick or applications that parse untrusted images or profiles. Risk is highest where image uploads, email attachments, document conversion, or automated thumbnailing pipelines process attacker-controlled files.

Technical summary

The issue is classified by NVD as CWE-125 (out-of-bounds read). The vulnerable path is in MagickCore/profile.c, where handling a crafted file can cause ImageMagick to read beyond intended bounds and crash or otherwise deny service. NVD’s CVSS data indicates no confidentiality or integrity impact, but high availability impact. The published vulnerability criteria include ImageMagick versions before 7.0.3-2, and NVD also lists 6.x versions prior to 6.9.6-0 as vulnerable.

Defensive priority

Medium. The vulnerability is remote-triggerable but requires user interaction, and the primary impact is denial of service rather than code execution or data loss. It should still be prioritized for systems that ingest untrusted images automatically or at scale.

Recommended defensive actions

• Upgrade ImageMagick to a fixed release at or beyond 7.0.3-2, or to the appropriate patched version for your maintained branch.
• If you maintain a 6.x line, verify that your package or vendor build includes a fix consistent with NVD’s vulnerable-range cutoff before 6.9.6-0.
• Review image-processing workflows that accept untrusted files, including upload, preview, conversion, and thumbnail services.
• Limit exposure by isolating image-processing services and applying least-privilege execution where feasible.
• Confirm your distribution or vendor package has incorporated the fix, especially if you rely on backported security updates.

Evidence notes

The core facts come from the official CVE/NVD record: the description names MagickCore/profile.c, the out-of-bounds read, and the remote denial-of-service impact. NVD also supplies the CWE-125 classification, the CVSS 3.1 vector, and vulnerable-version criteria for ImageMagick before 7.0.3-2, plus 6.x ranges ending before 6.9.6-0. The linked GitHub commit and issue references are included as patch/issue-tracking context in the source corpus.

Official resources