PatchSiren cyber security CVE debrief

CVE-2016-8696 Potrace Project CVE debrief

CVE-2016-8696 is a denial-of-service issue in potrace’s BMP parsing path. A crafted BMP image can trigger a NULL pointer dereference in bm_readbody_bmp, causing the application to crash. NVD lists the issue as affecting potrace versions through 1.12, and the CVE description places the fix boundary at before 1.13. This is a stability and availability problem rather than a confidentiality or integrity issue.

Vendor: Potrace Project
Product: CVE-2016-8696
CVSS: MEDIUM 5.5
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-01-31
Original CVE updated: 2026-05-13
Advisory published: 2017-01-31
Advisory updated: 2026-05-13

Who should care

Security and platform teams that deploy potrace 1.12 or earlier, especially where the tool processes untrusted BMP images as part of automated conversion, document workflows, or user-submitted uploads. Any downstream product bundling potrace should also verify whether it inherited the vulnerable parser code.

Technical summary

The vulnerable code path is bm_readbody_bmp in bitmap_io.c. According to the CVE record, a crafted BMP can lead to a NULL pointer dereference and crash. NVD classifies the weakness as CWE-476 and rates the impact as CVSS 3.0 AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H. The issue is distinct from CVE-2016-8694 and CVE-2016-8695.

Defensive priority

Medium. The bug can be used to crash affected systems that process attacker-controlled BMP files, so it is worth prioritizing wherever untrusted images are accepted. If potrace is not exposed to external input, the operational risk is lower.

Recommended defensive actions

Upgrade potrace to version 1.13 or later, or apply the vendor fix if you maintain a downstream package.
Inventory systems and applications that embed potrace or invoke it on user-supplied BMP files.
Treat BMP inputs as untrusted and add file-validation controls around conversion pipelines.
If you cannot upgrade immediately, reduce exposure by limiting which users can submit BMP files and by isolating image-processing jobs.
Monitor for unexpected crashes or repeated failures in workflows that use potrace, as those may indicate attempted triggering or latent compatibility issues.

Evidence notes

Primary evidence comes from the NVD CVE record and MITRE-linked references. The NVD description states that bm_readbody_bmp in bitmap_io.c in potrace before 1.13 allows remote attackers to cause a denial of service via a crafted BMP image. NVD also classifies the weakness as CWE-476 and lists affected versions through 1.12. Supporting references include the potrace ChangeLog and third-party advisories linked from the CVE record.

Official resources

CVE-2016-8696 CVE record
CVE.org
CVE-2016-8696 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Release Notes, Vendor Advisory
Mitigation or vendor reference
[email protected] - Mailing List, Third Party Advisory
Mitigation or vendor reference
[email protected] - Mailing List, Third Party Advisory
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry
Mitigation or vendor reference
[email protected] - Third Party Advisory

Published by NVD on 2017-01-31. The record was later modified on 2026-05-13; those dates reflect CVE publication and database update timing, not exploit activity.