CVE-2016-10165 Netapp CVE debrief

Who should care

Teams that process untrusted images or ship Little CMS/lcms2, including desktop, server, and appliance products that bundle the library. The NVD record also maps the issue to multiple downstream distro and NetApp products, so package owners and appliance maintainers should verify exposure.

Technical summary

NVD identifies CWE-125 and scores the issue CVSS 3.1 7.1 HIGH with vector AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H. The flaw is in Type_MLU_Read in cmstypes.c: handling of a crafted ICC profile can read past heap boundaries during image/profile parsing, enabling memory disclosure or denial of service.

Defensive priority

High

Recommended defensive actions

• Inventory where Little CMS/lcms2 is present, including bundled copies in appliances and image-processing stacks.
• Confirm whether your shipped version is vulnerable; NVD lists littlecms versions before 2.11 and several downstream products as affected.
• Apply vendor or distribution updates referenced in the NVD record and linked advisories.
• Treat untrusted image and ICC profile input as high risk until patched.
• If patching is delayed, reduce exposure by restricting where image uploads or profile imports are accepted.

Evidence notes

The debrief is based on the NVD CVE record and its description of an out-of-bounds heap read in Type_MLU_Read, plus the CVSS vector and CWE-125 classification in the same record. NVD references include community patch discussion on Openwall and downstream advisories for Debian, openSUSE, Red Hat, Ubuntu, Oracle, and NetApp. The CVE was published on 2017-02-03 and later modified on 2026-05-13; no CISA KEV dates are present in the supplied corpus.

Official resources