CVE-2016-8697 Potrace Project CVE debrief

Who should care

Administrators, distributors, and developers using Potrace directly or through software that imports or converts BMP images should care, especially if untrusted files can reach the image-processing path.

Technical summary

The vulnerability affects bm_new in bitmap.h and is triggered by a crafted BMP image that causes a divide-by-zero condition. The NVD record lists the affected version range as Potrace up to and including 1.12, with 1.13 as the first non-vulnerable release. NVD’s CVSS v3.0 vector is AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H, and the weakness is CWE-369.

Defensive priority

Medium. The issue is a crash-only denial-of-service in an image parser, but it can still be operationally significant if Potrace is exposed to untrusted files in automated or user-facing workflows.

Recommended defensive actions

• Upgrade Potrace to version 1.13 or later.
• Identify applications, libraries, and packages that bundle or call Potrace and verify they include a fixed release.
• Treat BMP inputs from untrusted sources as potentially hostile until the patched version is deployed.
• If immediate upgrading is not possible, reduce exposure by limiting who can submit BMP files into Potrace-backed workflows.
• Monitor for unexpected crashes in image-processing pipelines and correlate them with BMP handling.

Evidence notes

The CVE record and NVD detail are the authoritative sources for the affected product and version range. The NVD metadata cites a divide-by-zero in bm_new/bitmap.h and lists Potrace versions through 1.12 as vulnerable. The CVE was published on 2017-01-31T22:59:00.657Z and later modified on 2026-05-13T00:24:29.033Z; advisory references in the record date back to 2016.

Official resources