Cyber Resilience

CVE-2016-3714

HighCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 05 May 2016

Published
05 May 2016
Modified
21 April 2026
KEV Added
09 September 2024
Patch
CVSS Score v3.1 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9362 99.8th percentile
Risk Priority 93 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2016-3714 is a high-severity Improper Input Validation (CWE-20) vulnerability in Canonical Ubuntu Linux. Its CVSS base score is 8.4 (High).

Operationally, ranked in the top 0.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-10 (Information Input Validation).

Deeper analysis

The vulnerability tracked as CVE-2016-3714, also known as ImageTragick, is an input validation flaw (CWE-20) present in multiple coders within ImageMagick versions prior to 6.9.3-10 and 7.x prior to 7.0.1-1. Specifically, the EPHEMERAL, HTTPS, MVG, MSL, TEXT, SHOW, WIN, and PLT coders fail to sanitize shell metacharacters when processing image files, enabling arbitrary command execution.

Remote attackers can exploit the issue by supplying a specially crafted image that triggers one of the affected coders during processing. Successful exploitation grants the ability to execute arbitrary code on the target system with the privileges of the ImageMagick process, corresponding to a CVSS 3.1 base score of 8.4.

Advisories and patches referenced in the ImageMagick ChangeLog and multiple OpenSUSE security announcements address the flaw through updated packages that restrict or sanitize the vulnerable coders.

EU & UK References

Vulnerability details

The (1) EPHEMERAL, (2) HTTPS, (3) MVG, (4) MSL, (5) TEXT, (6) SHOW, (7) WIN, and (8) PLT coders in ImageMagick before 6.9.3-10 and 7.x before 7.0.1-1 allow remote attackers to execute arbitrary code via shell metacharacters in a crafted…

more

image, aka "ImageTragick."

CWE(s)
KEV Date Added
09 September 2024

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

imagemagick
imagemagick
7.0.0-0, 7.0.1-0 · ≤ 6.9.3-9
canonical
ubuntu linux
12.04, 14.04, 15.10, 16.04
debian
debian linux
8.0, 9.0
opensuse
leap
42.1
opensuse
opensuse
13.2
suse
suse linux enterprise server
12

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of untrusted image input to block shell metacharacters in the affected coders.

prevent

Enforces disabling or restricting the vulnerable EPHEMERAL/HTTPS/MVG/etc. coders so they cannot be invoked on crafted images.

prevent

Mandates timely application of patches that sanitize or remove the flawed coders in ImageMagick < 6.9.3-10 / 7.0.1-1.

References