PatchSiren

PatchSiren cyber security CVE debrief

CVE-2016-5241 Opensuse CVE debrief

CVE-2016-5241 is a denial-of-service flaw in GraphicsMagick's SVG rendering path. A crafted SVG can trigger an arithmetic exception in magick/render.c and crash the application. NVD rates the issue as medium severity and lists affected GraphicsMagick releases through 1.3.23, along with some downstream distro package CPEs.

Vendor
Opensuse
Product
CVE-2016-5241
CVSS
MEDIUM 5.5
CISA KEV
Not listed in stored evidence
Original CVE published
2017-02-03
Original CVE updated
2026-05-13
Advisory published
2017-02-03
Advisory updated
2026-05-13

Who should care

Administrators, packagers, and application owners who use GraphicsMagick to process untrusted SVG files. This includes environments with affected GraphicsMagick versions and downstream packages listed by NVD, including openSUSE Leap 42.1, openSUSE 13.2, and Debian 8.0.

Technical summary

The issue is described as an arithmetic exception in magick/render.c that leads to an application crash when GraphicsMagick processes a crafted SVG. NVD maps the weakness to CWE-189 (numeric errors) and assigns CVSS 3.0 AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H, which indicates availability impact only, with user interaction required. The public description says remote attackers can trigger the issue via SVG input, while the CVSS vector suggests the practical trigger involves a user opening or processing attacker-controlled content.

Defensive priority

Medium. Prioritize if your environment accepts untrusted SVG or relies on GraphicsMagick for automated image handling, because the impact is service interruption rather than code execution.

Recommended defensive actions

  • Upgrade GraphicsMagick to 1.3.24 or later, or apply the vendor/distro fix if you rely on a backported package.
  • Check downstream packages in your distribution for backported patches, especially the openSUSE and Debian releases listed by NVD.
  • Restrict or sandbox processing of untrusted SVG files in services and workflows that invoke GraphicsMagick.
  • Monitor for unexpected GraphicsMagick crashes or repeated failures in image-processing jobs.
  • If patching is delayed, reduce exposure by limiting which users or systems can submit SVG content for processing.

Evidence notes

Based on the NVD record and linked references, the vulnerable component is GraphicsMagick's magick/render.c, with affected versions through 1.3.23. The record lists CWE-189 and CVSS 3.0 vector AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H. References include the upstream GraphicsMagick NEWS entry for 2016-05-30, oss-security patch discussions, openSUSE security announcements, and a Red Hat Bugzilla issue, indicating coordinated upstream and downstream remediation.

Official resources

NVD published this CVE on 2017-02-03. The reference set shows upstream and distro remediation activity in 2016, so the public record reflects a later cataloging date rather than the start of vendor response.