PatchSiren cyber security CVE debrief

CVE-2016-7446 Opensuse CVE debrief

CVE-2016-7446 is a critical buffer overflow in GraphicsMagick 1.3.24 affecting MVG and SVG rendering code. NVD rates the issue 9.8/CRITICAL with network attack, no privileges, and no user interaction required. The record also notes this flaw exists because of an incomplete patch for CVE-2016-2317.

Vendor: Opensuse
Product: CVE-2016-7446
CVSS: CRITICAL 9.8
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-02-06
Original CVE updated: 2026-05-13
Advisory published: 2017-02-06
Advisory updated: 2026-05-13

Who should care

Security teams running GraphicsMagick 1.3.24 or downstream packages on Debian 8.0, openSUSE Leap 42.1, or openSUSE 13.2 should care most. Any environment that processes untrusted MVG or SVG content should prioritize review.

Technical summary

The vulnerability is classified as CWE-119 and described as a buffer overflow in GraphicsMagick’s MVG and SVG rendering paths. NVD’s CVSS vector is CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating a remotely reachable memory-corruption issue with potentially severe impact. The NVD description says the flaw remained due to an incomplete fix for CVE-2016-2317, which suggests a partially addressed code path or regression in the prior remediation.

Defensive priority

High. This is a network-reachable memory corruption issue with no auth or interaction required, and the CVSS score indicates potentially full confidentiality, integrity, and availability impact. Prioritize patching or package upgrades before routine maintenance work.

Recommended defensive actions

Upgrade GraphicsMagick to a version that includes the complete fix for CVE-2016-7446 and the prior CVE-2016-2317 remediation.
Check vendor advisories and downstream package updates for Debian, openSUSE Leap 42.1, and openSUSE 13.2.
Restrict or sandbox any service that accepts untrusted MVG or SVG input until patched.
Add temporary controls to reduce exposure from user-supplied image conversion or rendering workflows.
Validate whether any internal applications embed GraphicsMagick for file processing and include them in remediation scope.

Evidence notes

The supplied NVD record identifies GraphicsMagick 1.3.24 as the affected product and lists vulnerable CPEs for Debian 8.0, openSUSE Leap 42.1, and openSUSE 13.2. It classifies the weakness as CWE-119 and provides CVSS 3.0 vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The description explicitly says the overflow is in MVG and SVG rendering code and that it exists due to an incomplete patch for CVE-2016-2317. The CVE was published on 2017-02-06 and the NVD source snapshot was modified on 2026-05-13.

Official resources

CVE-2016-7446 CVE record
CVE.org
CVE-2016-7446 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Third Party Advisory
Mitigation or vendor reference
[email protected] - Third Party Advisory
Mitigation or vendor reference
[email protected] - Mailing List, Third Party Advisory
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry
Source reference
[email protected] - Issue Tracking
Mitigation or vendor reference
[email protected] - Third Party Advisory

The CVE record was published on 2017-02-06, while the reference list shows public discussion and vendor advisories already available in September and October 2016. Use the CVE publication date as the canonical disclosure date for this de-