PatchSiren

PatchSiren cyber security CVE debrief

CVE-2016-10070 Opensuse CVE debrief

CVE-2016-10070 is a medium-severity ImageMagick parsing flaw affecting MAT file handling in coders/mat.c. The issue is described as a heap-based buffer overflow in CalcMinMax that can be triggered by a crafted MAT file, leading to an out-of-bounds read and application crash. NVD assigns CVSS v3.1 5.5 and marks availability as the primary impact.

Vendor
Opensuse
Product
CVE-2016-10070
CVSS
MEDIUM 5.5
CISA KEV
Not listed in stored evidence
Original CVE published
2017-03-03
Original CVE updated
2026-05-13
Advisory published
2017-03-03
Advisory updated
2026-05-13

Who should care

Teams running ImageMagick in applications or services that process untrusted images, especially batch conversion pipelines, document upload systems, thumbnailers, and Linux distributions or packages tied to the affected ImageMagick versions and openSUSE Leap CPEs listed by NVD.

Technical summary

NVD describes the flaw as a heap-based buffer overflow in CalcMinMax in coders/mat.c, with CWE-125 (out-of-bounds read). The vulnerability affects ImageMagick versions before 6.9.4-0; NVD’s CPE data also marks ImageMagick through 6.9.3-10 as vulnerable, along with openSUSE Leap 42.1 and 42.2 entries. The published CVSS v3.1 vector is AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H, indicating a crash-oriented availability impact rather than confidentiality or integrity impact.

Defensive priority

Medium. The score is not critical, but image processing libraries are often exposed to untrusted content, so even a crash-only flaw can become operationally important in upload, preview, or automation workflows.

Recommended defensive actions

  • Upgrade ImageMagick to 6.9.4-0 or a vendor package that includes the fix.
  • If you rely on distribution packages, verify whether your openSUSE or downstream build includes the relevant backport.
  • Limit or sandbox processing of untrusted MAT files and other user-supplied images.
  • Isolate image conversion services so a parser crash does not affect broader application availability.
  • Review the referenced vendor and issue tracker advisories for package-specific remediation guidance.

Evidence notes

The core vulnerability description, version boundary, and affected function come from the supplied NVD record. Supporting references include openSUSE advisories, an oss-security mailing list post, Launchpad and Bugzilla issue trackers, and upstream ImageMagick commits cited in the NVD metadata. NVD published the record on 2017-03-03 and later modified it on 2026-05-13; those dates are used only as record context, not as an issue creation time.

Official resources

Publicly disclosed in the NVD record on 2017-03-03, with supporting vendor, mailing list, tracker, and upstream patch references cited in the record metadata.