PatchSiren cyber security CVE debrief
CVE-2016-9830 Opensuse CVE debrief
CVE-2016-9830 is a denial-of-service issue in GraphicsMagick 1.3.25. According to the CVE description, crafted JPEG images with very large dimensions can trigger a crash in MagickRealloc in memory.c. The issue was publicly recorded by NVD on 2017-03-01, while the supplied references show patch and advisory activity in early December 2016. The weakness is categorized as CWE-20 (input validation).
- Vendor
- Opensuse
- Product
- CVE-2016-9830
- CVSS
- MEDIUM 5.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2017-03-01
- Original CVE updated
- 2026-05-13
- Advisory published
- 2017-03-01
- Advisory updated
- 2026-05-13
Who should care
Administrators, package maintainers, and application owners that use GraphicsMagick to process untrusted JPEG uploads or batch image inputs. Distros and products shipping GraphicsMagick 1.3.25 should review their update status, including the openSUSE, Debian, and related advisory references in the source corpus.
Technical summary
The vulnerable code path is MagickRealloc in GraphicsMagick's memory.c. The reported trigger is a JPEG image with excessively large dimensions, which can cause a crash and service interruption. NVD maps the weakness to CWE-20 and lists affected CPEs including GraphicsMagick 1.3.25 and several distro packages. The supplied NVD vector is CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H, indicating availability impact as the primary concern.
Defensive priority
Medium. This is a denial-of-service condition rather than a code-execution flaw, but it can still matter in systems that accept attacker-supplied images or run image processing as a service.
Recommended defensive actions
- Apply the GraphicsMagick fix or vendor-backed package update referenced in the supplied advisories.
- Check whether any deployed systems match the affected CPEs, especially GraphicsMagick 1.3.25 and the listed distro packages.
- Restrict or sandbox processing of untrusted image uploads where practical.
- Add monitoring or alerting for repeated image-processing crashes or restarts.
- Validate image dimensions and reject unexpectedly large inputs before they reach GraphicsMagick.
- Track distro security advisories from openSUSE, Debian, Red Hat, and related maintainers for backported fixes.
Evidence notes
The source corpus ties the issue to GraphicsMagick 1.3.25 and references a patch commit, multiple distro advisories, and a Gentoo write-up dated 2016-12-01. NVD published the CVE record on 2017-03-01. The supplied record also includes affected CPEs for GraphicsMagick and several Linux distributions. Note that the vendor field in this dataset maps to openSUSE CPE context, while the vulnerability description itself names GraphicsMagick.
Official resources
-
CVE-2016-9830 CVE record
CVE.org
-
CVE-2016-9830 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Issue Tracking, Patch, Third Party Advisory
-
Mitigation or vendor reference
[email protected] - Third Party Advisory
-
Mitigation or vendor reference
[email protected] - Third Party Advisory
-
Mitigation or vendor reference
[email protected] - Mailing List, Third Party Advisory
-
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry
-
Mitigation or vendor reference
[email protected] - Patch, Third Party Advisory, VDB Entry
-
Mitigation or vendor reference
[email protected] - Issue Tracking, Patch
Publicly recorded by NVD on 2017-03-01. The source references show patch and advisory activity in December 2016, so remediation discussion appears to have begun before CVE publication.