Vulnerability Details : CVE-2016-9556
The IsPixelGray function in MagickCore/pixel-accessor.h in ImageMagick 7.0.3-8 allows remote attackers to cause a denial of service (out-of-bounds heap read) via a crafted image file.
Vulnerability category: OverflowDenial of service
Products affected by CVE-2016-9556
- cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
- cpe:2.3:a:imagemagick:imagemagick:7.0.3-8:*:*:*:*:*:*:*
- cpe:2.3:o:opensuse_project:leap:42.1:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2016-9556
0.09%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 24 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2016-9556
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:N/I:N/A:P |
8.6
|
2.9
|
NIST | |
|
5.5
|
MEDIUM | CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H |
1.8
|
3.6
|
NIST |
CWE ids for CVE-2016-9556
-
The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.Assigned by: nvd@nist.gov (Primary)
References for CVE-2016-9556
-
http://www.debian.org/security/2016/dsa-3726
Debian -- Security Information -- DSA-3726-1 imagemagickThird Party Advisory
-
https://blogs.gentoo.org/ago/2016/11/19/imagemagick-heap-based-buffer-overflow-in-ispixelgray-pixel-accessor-h
imagemagick: heap-based buffer overflow in IsPixelGray (pixel-accessor.h) | agostino's blogThird Party Advisory
-
https://github.com/ImageMagick/ImageMagick/commit/ce98a7acbcfca7f0a178f4b1e7b957e419e0cc99
https://github.com/ImageMagick/ImageMagick/issues/301 · ImageMagick/ImageMagick@ce98a7a · GitHubIssue Tracking;Patch;Vendor Advisory
-
http://www.openwall.com/lists/oss-security/2016/11/23/1
oss-security - Re: imagemagick: heap-based buffer overflow in IsPixelGray (pixel-accessor.h)Mailing List;Third Party Advisory
-
http://www.securityfocus.com/bid/94492
ImageMagick CVE-2016-9556 Heap Buffer Overflow VulnerabilityThird Party Advisory;VDB Entry
-
http://www.openwall.com/lists/oss-security/2016/12/02/12
oss-security - Re: Re: imagemagick: heap-based buffer overflow in IsPixelGray (pixel-accessor.h) (Incomplete fix for CVE-2016-9556)Mailing List;Third Party Advisory
-
http://lists.opensuse.org/opensuse-updates/2016-12/msg00040.html
openSUSE-SU-2016:3024-1: moderate: Security update for GraphicsMagickThird Party Advisory
-
http://www.openwall.com/lists/oss-security/2016/12/01/4
oss-security - imagemagick: heap-based buffer overflow in IsPixelGray (pixel-accessor.h) (Incomplete fix for CVE-2016-9556)Mailing List;Third Party Advisory
-
https://bugzilla.redhat.com/show_bug.cgi?id=1398198
1398198 – (CVE-2016-9556) CVE-2016-9556 ImageMagick: Heap-buffer overflow in IsPixelGray in pixel-accessor.hIssue Tracking;Third Party Advisory
Jump to