CVE-2016-9601

Name: CVE-2016-9601
Creator: NVD / NIST
Published: 2018-04-24T01:29:00.27+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

UnknownEPSS 1.84%

Last modified Jun 17, 2026

CVE-2016-9601 is a vulnerability of currently unknown severity. ghostscript before version 9.21 is vulnerable to a heap based buffer overflow that was found in the ghostscript jbig2_decode_gray_scale_image function which is used to decode halftone segments in a JBIG2 image. A document (PostScript or PDF) with an embedded, specially crafted, jbig2 image could trigger a segmentation fault in ghostscript.. EPSS estimates a 1.84% chance of exploitation in the next 30 days.

Description

ghostscript before version 9.21 is vulnerable to a heap based buffer overflow that was found in the ghostscript jbig2_decode_gray_scale_image function which is used to decode halftone segments in a JBIG2 image. A document (PostScript or PDF) with an embedded, specially crafted, jbig2 image could trigger a segmentation fault in ghostscript.

Metrics

EPSS Probability

1.84%

76.2th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

Vendor	Product	Versions
Artifex	Gpl Ghostscript	< 9.21
Artifex	Jbig2dec	<= 0.13
Debian	Debian Linux	8.0
Debian	Debian Linux	9.0

References

http://git.ghostscript.com/?p=jbig2dec.git%3Ba=commit%3Bh=e698d5c11d27212aa1098bc5b1673a3378563092
http://www.securityfocus.com/bid/97095Third Party Advisory, VDB Entry
https://bugs.ghostscript.com/show_bug.cgi?id=697457Issue Tracking, Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-9601Issue Tracking, Third Party Advisory
https://security.gentoo.org/glsa/201706-24Third Party Advisory
https://www.debian.org/security/2017/dsa-3817Third Party Advisory
http://git.ghostscript.com/?p=jbig2dec.git%3Ba=commit%3Bh=e698d5c11d27212aa1098bc5b1673a3378563092
http://www.securityfocus.com/bid/97095Third Party Advisory, VDB Entry
https://bugs.ghostscript.com/show_bug.cgi?id=697457Issue Tracking, Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-9601Issue Tracking, Third Party Advisory
https://security.gentoo.org/glsa/201706-24Third Party Advisory
https://www.debian.org/security/2017/dsa-3817Third Party Advisory

Timeline

Published: Apr 24, 2018
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2016-9601?

How severe is CVE-2016-9601?

Severity scoring for CVE-2016-9601 is pending analysis. The EPSS model estimates a 1.84% probability of exploitation in the next 30 days.

How do I fix CVE-2016-9601?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2016-9601?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST