CVE-2016-10164 X.org CVE debrief

Who should care

Security teams, distro maintainers, and application owners that ship or embed libXpm, especially software that accepts or parses untrusted XPM files and enables extension parsing on 64-bit systems.

Technical summary

According to the NVD record, libXpm before 3.5.12 contains multiple integer overflow conditions in XPM extension parsing. A crafted XPM file can cause the parser to miscalculate either the extension count or the concatenated extension length. Those bad size calculations can result in an undersized heap allocation followed by an out-of-bounds write, which NVD maps to CWE-119, CWE-190, and CWE-787. The affected CPE range is libXpm versions up to and including 3.5.11.

Defensive priority

Immediate

Recommended defensive actions

• Upgrade libXpm to 3.5.12 or later.
• Prioritize patching any system that accepts untrusted XPM files or processes image content from external sources.
• Review downstream vendor advisories and apply available package updates from your distribution.
• If immediate upgrading is not possible, reduce exposure by limiting where XPM parsing occurs and treating external XPM input as untrusted.
• Verify dependency inventories for applications linked against libXpm, including bundled copies in vendor products.

Evidence notes

The official NVD record lists the vulnerability as modified on 2026-05-13 and published on 2017-02-01, with CVSS 3.0 vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H and severity 9.8. The corpus also includes the upstream patch reference, xorg mailing list discussion, and downstream advisories from Debian, Red Hat, and Gentoo, all consistent with a fixed version boundary at 3.5.12. This debrief uses only the supplied corpus and official links.

Official resources