PatchSiren cyber security CVE debrief

CVE-2016-6912 Libgd CVE debrief

CVE-2016-6912 is a critical double-free vulnerability in libgd’s gdImageWebPtr function. According to the NVD record, it affects libgd versions up to 2.2.3 and was fixed before 2.2.4. The issue is remotely reachable and rated CVSS 3.0 9.8, reflecting low attack complexity and no required privileges or user interaction.

Vendor: Libgd
Product: CVE-2016-6912
CVSS: CRITICAL 9.8
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-01-26
Original CVE updated: 2026-05-13
Advisory published: 2017-01-26
Advisory updated: 2026-05-13

Who should care

Teams that build, package, or deploy software relying on libgd should care immediately, especially if image processing is exposed to untrusted input or network-facing services. Debian maintainers and downstream distributors should verify that their packaged libgd version includes the 2.2.4 fix.

Technical summary

The NVD record identifies a double free in gdImageWebPtr, classified as CWE-415. The vulnerable version range ends at 2.2.3, with 2.2.4 listed as the fixed release in the linked libgd changelog and commit reference. The CVSS vector is AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating a remotely exploitable flaw with potentially high confidentiality, integrity, and availability impact.

Defensive priority

Immediate. This is a network-exploitable memory-safety flaw with critical CVSS severity and no authentication or user interaction required. Patch or upgrade libgd to 2.2.4 or later as soon as possible, then validate dependent packages and rebuild any bundled copies.

Recommended defensive actions

Upgrade libgd to version 2.2.4 or later, or apply the vendor/backport fix used by your distribution.
Inventory applications and packages that link against libgd, including transitive dependencies and bundled copies.
Prioritize internet-facing services and any workflow that processes untrusted image content.
Confirm your deployed version is outside the affected range ending at 2.2.3.
Use your distribution security advisory or vendor changelog to verify the fix has been incorporated.
If immediate upgrade is not possible, restrict exposure of image-processing entry points until remediation is complete.

Evidence notes

This debrief is grounded in the supplied NVD CVE record and its linked references. The record states a double free in gdImageWebPtr, affected versions through 2.2.3, the CWE-415 mapping, and the CVSS 3.0 vector. The linked Debian advisory, libgd changelog, and libgd commit reference support the remediation timeline and fixed release. No exploit details or unsupported claims were used.

Official resources

CVE-2016-6912 CVE record
CVE.org
CVE-2016-6912 NVD detail
NVD
Source item URL
nvd_modified
Source reference
[email protected]
Source reference
[email protected]
Mitigation or vendor reference
[email protected] - Patch, Release Notes
Mitigation or vendor reference
[email protected] - Patch, Vendor Advisory

Publicly disclosed in the NVD record on 2017-01-26. The source record was last modified on 2026-05-13. No KEV entry was supplied in the provided corpus.