PatchSiren

PatchSiren cyber security CVE debrief

CVE-2016-8677 Imagemagick CVE debrief

CVE-2016-8677 is a high-severity ImageMagick issue in AcquireQuantumPixels within MagickCore/quantum.c. A crafted image file can trigger a memory allocation failure during image processing. NVD rates the issue 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), and the record includes upstream and downstream references showing fixes and advisories available around October 2016, before the CVE publication date on 2017-02-15.

Vendor
Imagemagick
Product
CVE-2016-8677
CVSS
HIGH 8.8
CISA KEV
Not listed in stored evidence
Original CVE published
2017-02-15
Original CVE updated
2026-05-13
Advisory published
2017-02-15
Advisory updated
2026-05-13

Who should care

Administrators and developers running ImageMagick to process untrusted images, especially in upload, conversion, thumbnailing, or batch-processing pipelines.

Technical summary

The vulnerable function is AcquireQuantumPixels in ImageMagick's MagickCore/quantum.c. According to the CVE description, a crafted image file can trigger a memory allocation failure. NVD's affected-version data includes ImageMagick branches before 6.9.5-10 and 7.0.0-0 through before 7.0.3-1. The NVD record also classifies the weakness as NVD-CWE-noinfo, so the precise weakness category is not specified in the source record.

Defensive priority

High. The issue is network-reachable in common deployment patterns, requires only user interaction, and affects software commonly exposed to untrusted file input. Prioritize patching where ImageMagick processes attacker-controlled images.

Recommended defensive actions

  • Inventory all ImageMagick installations and determine whether they fall within the affected NVD version ranges.
  • Upgrade ImageMagick to 7.0.3-1 or later for the 7.x line, and use vendor-maintained packages that include the relevant fix for packaged deployments.
  • If you rely on distribution packages, apply the corresponding OS vendor updates and advisories rather than assuming upstream version numbers alone.
  • Restrict ImageMagick processing of untrusted files to isolated or sandboxed services where practical.
  • Monitor image-processing services for crashes or allocation-failure events after remediation to confirm the fix is working as expected.

Evidence notes

The debrief is based on the NVD record, the CVE record, and the listed references. The CVE description states that AcquireQuantumPixels in ImageMagick before 7.0.3-1 can be triggered by a crafted image file. NVD provides CVSS 3.1 vector AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H and affected CPE criteria for ImageMagick versions before 6.9.5-10 and 7.0.0-0 through before 7.0.3-1. Supporting references in NVD include the upstream GitHub commit, GitHub issue #268, Gentoo's write-up, and distro advisories from openSUSE and Debian, indicating remediation activity around October 2016.

Official resources

CVE published by NVD/CVE on 2017-02-15. The listed patch and advisory references date to October 2016, indicating remediation work existed before CVE publication. The record was modified later, on 2026-05-13, which should not be treated as,