CVE-2016-9085 Fedoraproject CVE debrief

Who should care

Security teams, Linux distribution maintainers, and application owners that package or embed libwebp, especially environments running affected Fedora 24/25 builds or libwebp versions up to 0.5.2.

Technical summary

NVD classifies the flaw as CWE-190 (integer overflow) in libwebp. The recorded CVSS vector is CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L, indicating a locally exploitable issue with low availability impact. The NVD CPE data identifies vulnerable libwebp versions through 0.5.2 and Fedora 24 and 25 packages.

Defensive priority

Low. The issue is publicly known and should be remediated where libwebp is present, but the recorded severity and local-access prerequisites suggest it is not an urgent emergency compared with remotely exploitable or high-impact vulnerabilities.

Recommended defensive actions

• Verify whether your software stack ships libwebp directly or via a bundled dependency.
• Update or rebuild against a patched libwebp version where available; NVD lists vulnerability coverage through libwebp 0.5.2.
• Apply the relevant Fedora package updates for Fedora 24 and 25 if those environments are still in scope.
• Use package inventory and dependency scanning to find applications that consume libwebp so fixes reach downstream builds.
• Review vendor or distribution advisories linked from the CVE record before scheduling maintenance windows.

Evidence notes

The description in the supplied CVE record states 'Multiple integer overflows in libwebp allows attackers to have unspecified impact via unknown vectors.' NVD metadata identifies CWE-190 and lists affected libwebp versions up to 0.5.2, plus Fedora 24 and 25 CPEs. The record also includes upstream and distribution references, including an oss-security mailing list post dated 2016-10-27 and a libwebp patch reference.

Official resources