CVE-2016-8678 Imagemagick CVE debrief

Who should care

Administrators, developers, and service owners running ImageMagick 7.0.3-0, especially in file-processing pipelines that accept untrusted images or rely on Q64 builds.

Technical summary

NVD's CVSS 3.0 vector is AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H, which indicates a high-availability impact but requires user interaction. The CVE description attributes the failure to an out-of-bounds read in MagickCore/pixel-accessor.h's IsPixelMonochrome function, leading to a crash when processing a crafted file. The affected CPE in NVD is ImageMagick 7.0.3-0. The vendor note embedded in the description says the issue is specific to Q64 and that Q64 is not supported.

Defensive priority

Medium

Recommended defensive actions

• Inventory ImageMagick deployments and confirm whether any systems are running version 7.0.3-0 or otherwise matching the vulnerable CPE listed by NVD.
• Move off unsupported Q64 builds if they are in use, since the vendor note in the CVE description says the issue is a Q64 issue and Q64 is not supported.
• Update to a release that is not listed as vulnerable by NVD for CVE-2016-8678.
• Treat untrusted image uploads and conversions as higher risk, and isolate or sandbox image-processing workloads where practical.
• Watch for crashes or abnormal termination in image-processing services that may indicate malformed-file handling issues.

Evidence notes

This debrief is limited to the supplied CVE/NVD metadata and the reference list included in the source corpus. Supported facts used here include the CVE description, NVD's CWE-125 mapping, the CVSS 3.0 vector, and the vulnerable CPE entry for ImageMagick 7.0.3-0. The linked advisories and issue trackers are referenced by metadata only; their full contents were not fetched in this corpus.

Official resources