PatchSiren

PatchSiren cyber security CVE debrief

CVE-2016-2318 Suse CVE debrief

CVE-2016-2318 describes a denial-of-service condition in GraphicsMagick 1.3.23 triggered by crafted SVG content. NVD records the weakness as CWE-476 (NULL pointer dereference) and rates the issue CVSS 3.0 5.5/Medium. The CVE data ties the issue to SVG parsing/rendering paths including DrawImage, SVGStartElement, and TraceArcPath. Systems that process untrusted SVG files through affected GraphicsMagick builds should be treated as exposed until patched packages are in place.

Vendor
Suse
Product
CVE-2016-2318
CVSS
MEDIUM 5.5
CISA KEV
Not listed in stored evidence
Original CVE published
2017-02-03
Original CVE updated
2026-05-13
Advisory published
2017-02-03
Advisory updated
2026-05-13

Who should care

Administrators and integrators using GraphicsMagick 1.3.23, especially where systems accept or render untrusted SVG files. The NVD CPE list also identifies affected Debian 8.0 and several SUSE/openSUSE products, so package maintainers and platform owners for those distributions should verify whether their shipped GraphicsMagick builds include the fix.

Technical summary

The vulnerability is a NULL pointer dereference in GraphicsMagick’s SVG handling/rendering path, documented by NVD as CWE-476. The CVE description names affected code paths in magick/render.c and coders/svg.c, specifically DrawImage, SVGStartElement, and TraceArcPath. NVD assigns CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H, indicating availability impact with user interaction required. In practical terms, rendering a crafted SVG can crash the process or service handling the image.

Defensive priority

Medium. Prioritize if GraphicsMagick is used in services that automatically ingest or render SVGs, or if the product is exposed in workflow automation, document processing, or image conversion pipelines.

Recommended defensive actions

  • Upgrade GraphicsMagick to a vendor-fixed version in all affected environments.
  • Check distro advisories and package versions for Debian, openSUSE, and SUSE products listed in NVD’s affected CPEs.
  • Restrict or validate untrusted SVG input until patched packages are deployed.
  • Treat repeated GraphicsMagick crashes during SVG processing as a potential indicator of exposure to this issue.
  • Verify that downstream applications embedding GraphicsMagick are also rebuilt or redeployed with the fixed package.

Evidence notes

Primary facts come from the NVD CVE record and CVE.org entry. NVD lists the issue as CVE-2016-2318, published 2017-02-03 and modified 2026-05-13, with description text stating that GraphicsMagick 1.3.23 allows remote attackers to cause a denial of service via a crafted SVG file. NVD also provides CVSS 3.0 vector AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H and CWE-476. The affected CPEs in NVD include GraphicsMagick 1.3.23 and several Debian/SUSE/openSUSE product entries. Third-party advisory links in the source corpus corroborate vendor remediation activity, but their contents were not independently expanded beyond the supplied metadata.

Official resources

Published by NVD/CVE on 2017-02-03. The supplied record was modified on 2026-05-13; that modified date reflects database updates, not the original vulnerability disclosure date.