PatchSiren

PatchSiren cyber security CVE debrief

CVE-2016-8568 Fedoraproject CVE debrief

CVE-2016-8568 is a medium-severity denial-of-service issue in libgit2. The vulnerable code path is git_commit_message in oid.c, where a crafted object file processed through a cat-file command can trigger an out-of-bounds read and crash the application. NVD maps the issue to CWE-125 and rates the impact primarily on availability. The CVE was published on 2017-02-03, while the referenced upstream and distro advisories show remediation activity began earlier in October 2016 and continued into package updates in Fedora and openSUSE/SUSE builds.

Vendor
Fedoraproject
Product
CVE-2016-8568
CVSS
MEDIUM 5.5
CISA KEV
Not listed in stored evidence
Original CVE published
2017-02-03
Original CVE updated
2026-05-13
Advisory published
2017-02-03
Advisory updated
2026-05-13

Who should care

Teams that ship or embed libgit2 before 0.24.3, especially Linux distributions and applications that expose git object inspection or cat-file-style workflows. Security and platform teams should also care if they depend on packaged libgit2 from Fedora, openSUSE, or SUSE Enterprise repositories identified in the CVE metadata.

Technical summary

The issue affects libgit2 versions up to and including 0.24.2, with the fix landing in v0.24.3. An attacker can supply a crafted object file that reaches the cat-file code path and causes git_commit_message in oid.c to read outside the intended buffer bounds. The result is a denial of service rather than a data modification issue; NVD records no confidentiality or integrity impact and lists the weakness as CWE-125 (out-of-bounds read). The CVSS v3.0 vector AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H indicates the attack requires user interaction and has a strong availability impact.

Defensive priority

High for systems that process untrusted Git objects or expose libgit2-based tooling to untrusted input; otherwise medium. The issue is primarily a crash-risk vulnerability, but it can still interrupt developer workflows, automation, or services that parse repository data.

Recommended defensive actions

  • Upgrade libgit2 to 0.24.3 or later; the vulnerable range in the NVD data ends at 0.24.2.
  • Review distro packaging and ensure Fedora/openSUSE/SUSE packages have pulled in the patched build where applicable.
  • If immediate upgrading is not possible, restrict exposure to untrusted object files and limit who can trigger cat-file-style processing.
  • Monitor applications that embed libgit2 for crashes or abnormal termination when handling repository objects.
  • Validate dependency manifests and SBOMs for transitive libgit2 usage, not just direct package references.

Evidence notes

Evidence in the supplied corpus ties the vulnerability to libgit2 before 0.24.3, specifically git_commit_message in oid.c, with CWE-125 and an availability-only CVSS impact. The NVD references include the upstream libgit2 release v0.24.3, the libgit2 issue tracker entry, and multiple distro advisories from openSUSE and Fedora. The published CVE date is 2017-02-03, and the record was later modified on 2026-05-13; those dates are timeline context, not the vulnerability occurrence date.

Official resources

The CVE was published by the CNA/NVD on 2017-02-03. The supplied references show remediation and advisories appearing before and after publication, including a 2016-10-08 oss-security mailing list thread and later distro update notices. The