PatchSiren cyber security CVE debrief

CVE-2016-4491 Gnu CVE debrief

CVE-2016-4491 is a denial-of-service issue in GNU libiberty's C++ demangling code. The vulnerable d_print_comp function in cp-demangle.c can recurse indefinitely and overflow a buffer when given a crafted binary, leading to a segmentation fault and crash. NVD classifies the issue as medium severity and maps it to CWE-119. The CVE was published on 2017-02-24, while the referenced patch discussion and issue tracking entries date to May 2016.

Vendor: Gnu
Product: CVE-2016-4491
CVSS: MEDIUM 5.5
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-02-24
Original CVE updated: 2026-05-13
Advisory published: 2017-02-24
Advisory updated: 2026-05-13

Who should care

Teams that ship or embed GNU libiberty, libiberty-based tooling, or demangling functionality should review this CVE. That includes maintainers of build systems, analysis tools, and any software that processes untrusted binaries and may invoke cp-demangle or related symbol handling paths.

Technical summary

According to the CVE record, the issue is in d_print_comp in cp-demangle.c within libiberty. A crafted binary can cause a node to have itself as an ancestor more than once, which triggers infinite recursion and a buffer overflow. The observable impact is a crash/segmentation fault and denial of service. NVD's CVSS vector is CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H, and the weakness is classified as CWE-119.

Defensive priority

Medium. This is a denial-of-service vulnerability rather than a data exposure or code execution issue in the supplied record, but it can still disrupt tooling that handles untrusted binaries. Prioritize if libiberty-backed components are exposed to attacker-controlled inputs or are part of build, parsing, or analysis pipelines.

Recommended defensive actions

Identify whether your software ships, links against, or vendors GNU libiberty components, especially cp-demangle.c / d_print_comp paths.
Apply the upstream fix or vendor patch referenced in the GNU patch discussion and oss-security thread.
Limit or sandbox processing of untrusted binaries in workflows that invoke symbol demangling or related parsing code.
Monitor for repeated crashes in demangling or binary-analysis tooling and treat them as a potential sign of this issue.
Track downstream packages that may embed libiberty rather than relying only on a system-provided copy.

Evidence notes

Supported facts come from the NVD CVE record and its referenced GNU and OSS-security links. The CVE description states the crash is triggered by crafted binary input and is related to infinite recursion and a buffer overflow in d_print_comp. NVD lists the affected CPE as cpe:2.3:a:gnu:libiberty:*:*:*:*:*:*:*:* and classifies the weakness as CWE-119. The cited references include the oss-security post, GCC bug 70909, and the GCC patch thread from May 2016.

Official resources

CVE-2016-4491 CVE record
CVE.org
CVE-2016-4491 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Mailing List, Patch, Third Party Advisory
Source reference
[email protected]
Source reference
[email protected] - Issue Tracking
Mitigation or vendor reference
[email protected] - Patch, Vendor Advisory

CVE-2016-4491 was published by the CVE Program and NVD on 2017-02-24. The source references in the record point to May 2016 discussion and patch material, but those are reference dates, not the CVE publication date.