PatchSiren cyber security CVE debrief
CVE-2017-6497 Imagemagick CVE debrief
CVE-2017-6497 is a high-severity availability issue in ImageMagick 6.9.7. According to the CVE description and NVD data, a specially crafted PSD file can trigger a NULL pointer dereference, which can crash the application and result in denial of service. NVD classifies the issue as CVSS 3.0 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating a network-reachable, low-complexity DoS risk for deployments that process untrusted image content.
- Vendor
- Imagemagick
- Product
- CVE-2017-6497
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2017-03-06
- Original CVE updated
- 2026-05-13
- Advisory published
- 2017-03-06
- Advisory updated
- 2026-05-13
Who should care
Administrators and developers running ImageMagick 6.9.7, especially in services that accept or process user-supplied PSD files or other untrusted images. Security teams supporting file upload pipelines, image conversion services, and document processing systems should review exposure promptly.
Technical summary
The vulnerability is a NULL pointer dereference in ImageMagick 6.9.7 associated with parsing a specially crafted PSD file. The documented impact is denial of service only: confidentiality and integrity are not affected in the provided CVSS vector, while availability is high. The CVE record and NVD both point to an upstream ImageMagick patch commit as the remediation reference.
Defensive priority
High for any environment that processes untrusted image uploads or automated image conversions; otherwise moderate. Because the issue is remotely reachable in the CVSS vector and can cause service interruption, exposed parsing endpoints should be prioritized for patching.
Recommended defensive actions
- Upgrade ImageMagick to a version that includes the upstream fix referenced by the ImageMagick patch commit.
- Treat PSD and other user-controlled image inputs as untrusted and isolate image-processing services where feasible.
- Review upload and conversion workflows for exposure to crafted image files, especially where ImageMagick is invoked automatically.
- If immediate upgrading is not possible, reduce exposure by restricting which file types can reach ImageMagick and by placing processing behind strict validation and sandboxing controls.
- Verify remediation against the upstream patch reference and confirm the affected 6.9.7 build is no longer deployed.
Evidence notes
The CVE description states that an issue was discovered in ImageMagick 6.9.7 and that a specially crafted PSD file can lead to a NULL pointer dereference causing DoS. NVD assigns CWE-476 and CVSS 3.0 7.5 with vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. The supplied references include the CVE record, the NVD detail page, a Debian bug tracker entry, and an ImageMagick patch commit.
Official resources
-
CVE-2017-6497 CVE record
CVE.org
-
CVE-2017-6497 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry
-
Mitigation or vendor reference
[email protected] - Issue Tracking, Mailing List, Third Party Advisory
-
Mitigation or vendor reference
[email protected] - Patch
CVE published on 2017-03-06. NVD metadata was later modified on 2026-05-13; that update does not change the original CVE issue date.