PatchSiren cyber security CVE debrief
CVE-2016-9559 Imagemagick CVE debrief
CVE-2016-9559 is a denial-of-service vulnerability in ImageMagick's TIFF coder that can crash the application when it processes a crafted image. The flaw is a NULL pointer dereference in coders/tiff.c, and NVD rates the issue as network-reachable with user interaction required and high availability impact. The public record shows fixes and issue tracking activity in November 2016, while the CVE itself was published on 2017-03-01.
- Vendor
- Imagemagick
- Product
- CVE-2016-9559
- CVSS
- MEDIUM 6.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2017-03-01
- Original CVE updated
- 2026-05-13
- Advisory published
- 2017-03-01
- Advisory updated
- 2026-05-13
Who should care
Administrators, application owners, and developers who deploy ImageMagick or applications that embed it for image processing should care, especially if they accept untrusted image uploads or convert user-supplied TIFF files. Debian 8 is also listed in the vulnerable CPE data, so distribution-maintained packages should be checked as well.
Technical summary
NVD describes the weakness as CWE-476 (NULL pointer dereference). The vulnerable range covers ImageMagick versions before 6.9.6-5 and 7.0.0-0 through before 7.0.3-7. The CVSS v3.1 vector is AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H, indicating a remotely reachable crash condition with no confidentiality or integrity impact but significant availability impact. The issue is triggered by a crafted image processed through the TIFF coder.
Defensive priority
Medium. This is not an RCE issue in the supplied record, but it is a remotely reachable crash in a widely used image library and can be relevant for services that process untrusted uploads.
Recommended defensive actions
- Upgrade ImageMagick to 7.0.3-7 or later, or to a release later than 6.9.6-5 for the 6.x line.
- If you rely on a Linux distribution package, confirm the vendor backport includes the fix rather than assuming the upstream version alone is sufficient.
- Audit services that accept user-controlled images for ImageMagick usage, especially TIFF handling paths.
- Use the linked issue/commit references to verify whether your deployed branch contains the patch or an equivalent backport.
- Monitor image-processing services for unexpected crashes or restarts after handling untrusted files.
Evidence notes
All statements above are based on the supplied NVD/CVE record and its listed references. The record identifies the weakness as CWE-476 and gives the affected version boundaries, CVSS vector, and CVE publication date. Reference metadata points to a GitHub issue/commit, mailing list posts, and Debian advisory material associated with the fix.
Official resources
-
CVE-2016-9559 CVE record
CVE.org
-
CVE-2016-9559 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Third Party Advisory
-
Mitigation or vendor reference
[email protected] - Mailing List, Patch, Third Party Advisory
-
Mitigation or vendor reference
[email protected] - Mailing List, Third Party Advisory
-
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry
-
Mitigation or vendor reference
[email protected] - Patch, Third Party Advisory, VDB Entry
-
Mitigation or vendor reference
[email protected] - Issue Tracking, Patch, Third Party Advisory
-
Mitigation or vendor reference
[email protected] - Issue Tracking, Patch, Third Party Advisory
The CVE record was published on 2017-03-01. The supplied reference metadata shows associated patch and advisory activity in November 2016, which suggests the fix discussion and remediation existed before the CVE publication date.