CVE-2016-10145 – CVE-2016-10145 is an off-by-one buffer overflow... (How to Fix)

Q: What is the severity of CVE-2016-10145?

CVE-2016-10145 has a CVSS score of 9.8 (CRITICAL). CVE-2016-10145 is an off-by-one buffer overflow vulnerability in ImageMagick's WPG image format decoder. This allows remote attackers to execute arbitrary code or cause denial of service by tricking a user or application into processing a specially crafted WPG image file. Any system using vulnerable versions of ImageMagick to process untrusted image files is affected.

📋 TL;DR

CVE-2016-10145 is an off-by-one buffer overflow vulnerability in ImageMagick's WPG image format decoder. This allows remote attackers to execute arbitrary code or cause denial of service by tricking a user or application into processing a specially crafted WPG image file. Any system using vulnerable versions of ImageMagick to process untrusted image files is affected.

💻 Affected Systems

Products:

ImageMagick

Versions: Versions before 6.9.7-4 and 7.0.4-4

Operating Systems: All platforms running vulnerable ImageMagick versions

Default Config Vulnerable: ⚠️ Yes

Notes: Any application using ImageMagick to process WPG images is vulnerable. This includes web applications, document processors, and image conversion tools.

📦 What is this software?

Imagemagick by Imagemagick

View all CVEs affecting Imagemagick →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution with the privileges of the ImageMagick process, potentially leading to full system compromise.

🟠

Likely Case

Application crash (denial of service) or limited memory corruption leading to unstable behavior.

🟢

If Mitigated

If proper input validation and sandboxing are in place, impact may be limited to denial of service.

🌐 Internet-Facing: HIGH - Image processing applications accepting user uploads are directly exposed.

🏢 Internal Only: MEDIUM - Internal systems processing images from untrusted sources remain vulnerable.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires the victim to process a malicious WPG file. Public proof-of-concept code demonstrates the vulnerability.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: ImageMagick 6.9.7-4 and 7.0.4-4

Vendor Advisory: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=851483

Restart Required: No

Instructions:

1. Update ImageMagick using your system's package manager. 2. For Debian/Ubuntu: sudo apt-get update && sudo apt-get install imagemagick. 3. For source installations: Download latest version from imagemagick.org and recompile.

🔧 Temporary Workarounds

Disable WPG format support

linux

Remove or disable the WPG coder module to prevent processing of WPG files.

sudo mv /etc/ImageMagick-6/policy.xml /etc/ImageMagick-6/policy.xml.backup
echo '<policymap><policy domain="coder" rights="none" pattern="WPG" /></policymap>' | sudo tee /etc/ImageMagick-6/policy.xml

🧯 If You Can't Patch

Implement strict input validation to reject WPG files at application level
Run ImageMagick in a sandboxed/containerized environment with minimal privileges

🔍 How to Verify

Check if Vulnerable:

Check ImageMagick version: convert --version | head -1. If version is below 6.9.7-4 or 7.0.4-4, system is vulnerable.

Check Version:

convert --version | head -1

Verify Fix Applied:

After update, verify version is 6.9.7-4 or higher (6.x) or 7.0.4-4 or higher (7.x).

📡 Detection & Monitoring

Log Indicators:

ImageMagick process crashes with segmentation faults
Error messages related to WPG file processing

Network Indicators:

Unusual WPG file uploads to web applications
Image processing requests for WPG files

SIEM Query:

process_name:"convert" AND (event_type:crash OR error_message:"WPG")

📊 Metadata

CVE ID: CVE-2016-10145

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-189

Published: March 24, 2017

Last Updated: April 20, 2025

🔗 References

http://www.debian.org/security/2017/dsa-3799 Mailing List,Third Party Advisory
http://www.openwall.com/lists/oss-security/2017/01/16/6 Mailing List,Patch,Third Party Advisory
http://www.openwall.com/lists/oss-security/2017/01/17/5 Mailing List,Patch,Third Party Advisory
http://www.securityfocus.com/bid/95749 Third Party Advisory,VDB Entry
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=851483 Issue Tracking,Patch,Third Party Advisory
https://github.com/ImageMagick/ImageMagick/commit/d23beebe7b1179fb75db1e85fbca3100e49593d9 Issue Tracking,Patch,Third Party Advisory
https://security.gentoo.org/glsa/201702-09 Third Party Advisory
http://www.debian.org/security/2017/dsa-3799 Mailing List,Third Party Advisory
http://www.openwall.com/lists/oss-security/2017/01/16/6 Mailing List,Patch,Third Party Advisory
http://www.openwall.com/lists/oss-security/2017/01/17/5 Mailing List,Patch,Third Party Advisory
http://www.securityfocus.com/bid/95749 Third Party Advisory,VDB Entry
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=851483 Issue Tracking,Patch,Third Party Advisory
https://github.com/ImageMagick/ImageMagick/commit/d23beebe7b1179fb75db1e85fbca3100e49593d9 Issue Tracking,Patch,Third Party Advisory
https://security.gentoo.org/glsa/201702-09 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2016-10145, you might also want to check these: