CVE-2016-8694 Potrace Project CVE debrief

Who should care

Maintainers and operators of software that uses Potrace to process untrusted BMP images, especially deployments still on Potrace 1.12 or earlier.

Technical summary

NVD identifies CWE-476 (NULL Pointer Dereference) in bm_readbody_bmp within bitmap_io.c. The vulnerability is described as a crash/denial of service triggered by crafted BMP input. NVD’s CVSS 3.0 vector is AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H, indicating availability impact with user interaction required. The narrative in the CVE description says remote attackers can trigger the issue, while the CVSS vector models the attack as local with user interaction; that scope detail should be reviewed in context of the affected deployment.

Defensive priority

Medium

Recommended defensive actions

• Upgrade Potrace to 1.13 or later, or otherwise remove versions 1.12 and earlier from service.
• Inventory applications and pipelines that decode BMP files through Potrace and confirm whether they process untrusted input.
• Isolate or sandbox image-conversion jobs that must handle external BMP files.
• Treat crashes in bitmap parsing paths as a signal to test for vulnerable Potrace versions and replace or patch them promptly.

Evidence notes

The supplied NVD record states: Potrace before 1.13 is vulnerable; bm_readbody_bmp in bitmap_io.c can be reached by a crafted BMP image and can cause a NULL pointer dereference and crash. The CPE range marks Potrace 1.12 and earlier as vulnerable. NVD assigns CWE-476 and CVSS 3.0 AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H. References in the corpus include the Potrace ChangeLog, oss-security mailing list posts, a SecurityFocus entry, and a Gentoo blog advisory. The record was published on 2017-01-31 and last modified on 2026-05-13; the modified date is record metadata, not the issue date.

Official resources