CVE-2016-7906

Published: Jan 18, 2017Modified: May 13, 2026

5.5

Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Exploitability: 1.8 / Impact: 3.6

Source: NVD

Description

magick/attribute.c in ImageMagick 7.0.3-2 allows remote attackers to cause a denial of service (use-after-free) via a crafted file.

Affected (2)

Products: Imagemagick: Imagemagick · Debian: Debian Linux

1 product

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Imagemagick Imagemagick	Version 7.0.3-2

Configuration B

1 vulnerable

Vulnerable Software	Affected Versions
Debian Debian Linux	Version 8.0

Related CWEs

CWE-416

Use After Free

The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

References (14)

http://www.debian.org/security/2016/dsa-3726

Source: cve@mitre.org

Third Party Advisory

http://www.openwall.com/lists/oss-security/2016/10/02/1

Source: cve@mitre.org

Mailing ListPatchThird Party Advisory

http://www.openwall.com/lists/oss-security/2016/10/02/3

Source: cve@mitre.org

Mailing ListPatchThird Party Advisory

http://www.securityfocus.com/bid/93271

Source: cve@mitre.org

Third Party AdvisoryVDB Entry

https://github.com/ImageMagick/ImageMagick/commit/90406972f108c4da71f998601b06abdc2ac6f06e

Source: cve@mitre.org

PatchVendor Advisory

https://github.com/ImageMagick/ImageMagick/issues/281

Source: cve@mitre.org

Issue TrackingPatchThird Party Advisory

https://security.gentoo.org/glsa/201611-21

Source: cve@mitre.org

Third Party Advisory

http://www.debian.org/security/2016/dsa-3726