PatchSiren

PatchSiren cyber security CVE debrief

CVE-2016-8685 Potrace Project CVE debrief

CVE-2016-8685 describes a denial-of-service issue in Potrace’s BMP processing path. According to the NVD record, the flaw can trigger invalid memory access and a crash in the findnext function in decompose.c when handling a crafted BMP image. The NVD entry assigns a medium severity score (CVSS 5.5) and maps the weakness to CWE-119. The corpus also contains third-party advisory references and a version range indicating affected Potrace releases up to 1.12, while the text description mentions 1.13; that version detail should be validated against upstream release history before relying on it operationally.

Vendor
Potrace Project
Product
CVE-2016-8685
CVSS
MEDIUM 5.5
CISA KEV
Not listed in stored evidence
Original CVE published
2017-01-31
Original CVE updated
2026-05-13
Advisory published
2017-01-31
Advisory updated
2026-05-13

Who should care

Administrators, package maintainers, and users running Potrace on untrusted or externally supplied image files should pay attention, especially if BMP inputs are accepted from users, uploads, or automated pipelines. Downstream Linux distributions and embedded product maintainers should also verify whether their shipped Potrace version falls within the affected range and whether updates are available.

Technical summary

The vulnerability is in findnext() in decompose.c, where a crafted BMP image can cause invalid memory access and a crash. NVD classifies the issue as CWE-119 and gives it CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H, which indicates a local attack vector with required user interaction and high availability impact. The NVD CPE data marks Potrace versions through 1.12 as vulnerable. The reference set includes mailing-list disclosures and a Gentoo advisory discussing the invalid memory access in findnext().

Defensive priority

Medium. This is a crash/denial-of-service issue rather than a documented code-execution flaw in the supplied corpus, but it still matters for any workflow that processes untrusted BMP files or depends on Potrace availability.

Recommended defensive actions

  • Check whether any deployed Potrace packages are at or below the affected version range listed in NVD.
  • Prioritize upgrading to a fixed Potrace release from a trusted package source if you process untrusted BMP files.
  • Restrict or sandbox image-conversion workflows so a crash cannot disrupt broader services.
  • Treat externally supplied BMPs as untrusted input and validate file-handling paths that invoke Potrace.
  • If you maintain a distribution or appliance image, confirm whether vendor backports already include a fix before assuming version number alone is sufficient.

Evidence notes

NVD identifies the issue as a Potrace decompose.c/findnext invalid memory access leading to crash, with CVSS 5.5 and CWE-119. The NVD CPE criteria mark Potrace versions through 1.12 as vulnerable. Corpus references include two openwall mailing-list posts, a SecurityFocus BID entry, and a Gentoo blog advisory specifically titled around the invalid memory access in findnext()/decompose.c. The supplied description text says Potrace 1.13, but the NVD version criteria in the same corpus say affected versions end at 1.12; that discrepancy should be treated as unresolved in this debrief.

Official resources

The corpus shows advisory activity in 2016-08 through 2016-10, while the CVE was published on 2017-01-31. The NVD record was last modified on 2026-05-13. Use the CVE publication date for issue timing, not the later modification date.