PatchSiren cyber security CVE debrief

CVE-2016-9773 Imagemagick CVE debrief

CVE-2016-9773 affects ImageMagick 7.0.3-8 and is described by NVD as a heap-based buffer overflow / out-of-bounds heap read in IsPixelGray when processing a crafted image file. The issue is explicitly noted as an incomplete fix for CVE-2016-9556. The main impact is denial of service, with the published CVSS vector rating availability as high impact.

Vendor: Imagemagick
Product: CVE-2016-9773
CVSS: MEDIUM 5.5
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-02-17
Original CVE updated: 2026-05-13
Advisory published: 2017-02-17
Advisory updated: 2026-05-13

Who should care

Organizations that process untrusted image files with ImageMagick, especially systems exposing image conversion, upload handling, thumbnails, or batch processing pipelines. Security teams and maintainers should care most if they deploy the affected 7.0.3-8 release or inherited packages built from it.

Technical summary

NVD lists the vulnerable CPE as ImageMagick 7.0.3-8 and assigns CWE-119 and CWE-125. The flaw is in MagickCore/pixel-accessor.h, specifically the IsPixelGray function, where crafted input can trigger an out-of-bounds heap read / heap-based overflow condition. The NVD CVSS vector is CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H. The record also states that this vulnerability exists because of an incomplete fix for CVE-2016-9556.

Defensive priority

Medium. The issue is publicly known and affects a specific ImageMagick release, but the published severity is 5.5 and the primary stated outcome is denial of service. Prioritize if the affected version is present in internet-facing or high-volume image-processing workflows.

Recommended defensive actions

Identify ImageMagick deployments and confirm whether any systems run version 7.0.3-8 or a package derived from it.
Upgrade to a non-vulnerable ImageMagick release that includes the fix for the incomplete CVE-2016-9556 remediation.
Treat untrusted image uploads and conversion jobs as security-sensitive inputs and isolate processing where practical.
Review dependent applications and libraries that bundle or call ImageMagick to ensure they are not shipping the affected code.
Monitor for crashes or abnormal termination during image parsing or conversion, especially for malformed or user-supplied images.

Evidence notes

The CVE description and NVD metadata identify a heap-based buffer overflow / out-of-bounds heap read in IsPixelGray in MagickCore/pixel-accessor.h, affecting ImageMagick 7.0.3-8. NVD lists CWE-119 and CWE-125, and the record ties the flaw to an incomplete fix for CVE-2016-9556. Reference URLs in the NVD record include Openwall oss-security mailing list posts dated 2016-12-01 and 2016-12-02, plus a Gentoo blog advisory describing the ImageMagick heap-based buffer overflow in IsPixelGray.

Official resources

CVE-2016-9773 CVE record
CVE.org
CVE-2016-9773 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Mailing List, Third Party Advisory
Mitigation or vendor reference
[email protected] - Mailing List, Third Party Advisory
Mitigation or vendor reference
[email protected] - Mailing List, Third Party Advisory
Mitigation or vendor reference
[email protected] - Patch, Third Party Advisory, VDB Entry

Publicly disclosed in the NVD/CVE record on 2017-02-17, with supporting third-party advisories referenced from 2016-12-01 and 2016-12-02. The source record was later modified on 2026-05-13.