PatchSiren cyber security CVE debrief

CVE-2016-9317 Libgd CVE debrief

CVE-2016-9317 is a denial-of-service issue in libgd before 2.2.4. The vulnerability is described as an oversized image causing gdImageCreate to hang the system. Because libgd is commonly used to process image content, the risk is highest in applications that accept untrusted images. The CVE was published on 2017-01-26, and the NVD entry points to the libgd 2.2.4 changelog and the corresponding fixing commit as references.

Vendor: Libgd
Product: CVE-2016-9317
CVSS: MEDIUM 5.5
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-01-26
Original CVE updated: 2026-05-13
Advisory published: 2017-01-26
Advisory updated: 2026-05-13

Who should care

Teams running applications or services that use libgd to parse or generate images, especially if those applications accept user-supplied or externally sourced image files. Package maintainers and distro security teams should also care because the issue is fixed in libgd 2.2.4 and earlier versions remain vulnerable.

Technical summary

NVD identifies the affected product as libgd versions up to and including 2.2.3, with the issue classified under CWE-20. The reported impact is availability-only: an oversized image can cause gdImageCreate to hang, resulting in a denial of service. The supplied NVD metadata includes a CVSS 3.0 vector of AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H, while the textual description says remote attackers can trigger the issue; that discrepancy is worth noting when triaging exposure. The references supplied in the CVE record point to a libgd 2.2.4 changelog entry and a specific fixing commit.

Defensive priority

Medium. The issue does not indicate code execution or data exposure, but it can still disrupt image-processing services and user-facing applications. Priority increases if libgd handles untrusted uploads, batch image conversion, thumbnailing, or other high-volume content ingestion.

Recommended defensive actions

Upgrade libgd to version 2.2.4 or later.
Inventory applications and libraries that depend on libgd, including transitive dependencies in packaged software.
Review any service that accepts untrusted images for potential denial-of-service exposure and add input validation, size limits, and request throttling where appropriate.
Monitor for hangs or worker starvation in image-processing pipelines, especially after large or malformed uploads.
If upgrading is not immediately possible, reduce exposure by restricting image upload sources and isolating image-processing workloads.

Evidence notes

All statements above are derived from the supplied CVE/NVD corpus and the referenced official links listed in the record. The CVE description states that gdImageCreate in libgd before 2.2.4 can be driven into a system hang by an oversized image. NVD metadata lists affected versions through 2.2.3 and classifies the weakness as CWE-20. The record also includes references to Debian advisory DSA-3777, the libgd 2.2.4 changelog, and the fixing commit 1846f48e5fcdde996e7c27a4bbac5d0aef183e4b.

Official resources

CVE-2016-9317 CVE record
CVE.org
CVE-2016-9317 NVD detail
NVD
Source item URL
nvd_modified
Source reference
[email protected]
Source reference
[email protected]
Mitigation or vendor reference
[email protected] - Issue Tracking, Patch, Release Notes, Third Party Advisory
Mitigation or vendor reference
[email protected] - Issue Tracking, Patch, Third Party Advisory

Published by NVD/CVE on 2017-01-26. No KEV listing is provided in the supplied corpus.