PatchSiren cyber security CVE debrief

CVE-2016-8686 Potrace Project CVE debrief

CVE-2016-8686 is a high-severity flaw in potrace's bm_new path that can be triggered by a crafted image and lead to memory allocation failure. The source corpus describes unspecified impact, while NVD assigns a CVSS 3.0 score of 7.8 with high confidentiality, integrity, and availability impact ratings. Treat this as a risk for workflows that process attacker-controlled images with vulnerable potrace builds, and verify the exact affected version range because the corpus contains a version mismatch.

Vendor: Potrace Project
Product: CVE-2016-8686
CVSS: HIGH 7.8
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-01-31
Original CVE updated: 2026-05-13
Advisory published: 2017-01-31
Advisory updated: 2026-05-13

Who should care

Administrators, package maintainers, and developers who run potrace on user-supplied or otherwise untrusted images, especially in automated conversion pipelines, document-processing services, or desktop applications that invoke potrace behind the scenes.

Technical summary

The vulnerability is described in the bm_new function in bitmap.h in potrace. According to the source corpus, a crafted image can trigger a memory allocation failure. NVD maps the weakness to CWE-119 and rates the issue CVSS 3.0 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). The corpus also contains a source inconsistency: the narrative description mentions potrace 1.13, while the NVD CPE criteria marks versions up to 1.12 as vulnerable.

Defensive priority

High for any environment that accepts untrusted images and may invoke potrace; otherwise moderate if the input set is tightly controlled.

Recommended defensive actions

Check whether any installed or bundled potrace version matches the vulnerable range in your vendor's package metadata.
Update to a non-vulnerable potrace release or apply the vendor's backport if available.
Review pipelines that convert user-supplied images and limit where potrace is used on untrusted content.
Add monitoring and inventory checks for embedded or transitive potrace usage in applications and build systems.
If you cannot upgrade immediately, reduce exposure by restricting who can submit files and by isolating image-conversion jobs.

Evidence notes

Primary evidence comes from the NVD record and its linked advisories. The NVD description states that bm_new in bitmap.h in potrace can be driven by a crafted image into a memory allocation failure. NVD assigns CVSS 3.0 AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H and CWE-119. The reference set in the corpus includes an Openwall oss-security mailing-list post, a SecurityFocus BID entry, and a Gentoo advisory. The corpus contains a notable inconsistency: the narrative description names potrace 1.13, but the NVD CPE criteria marks versions through 1.12 as vulnerable. The NVD record was published on 2017-01-31 and later modified on 2026-05-13.

Official resources

CVE-2016-8686 CVE record
CVE.org
CVE-2016-8686 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Mailing List, Third Party Advisory
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry
Mitigation or vendor reference
[email protected] - Third Party Advisory

Publicly referenced in 2016 advisories and published in NVD on 2017-01-31.