PatchSiren

PatchSiren cyber security CVE debrief

CVE-2016-4493 Gnu CVE debrief

CVE-2016-4493 affects GNU libiberty's cplus-dem.c demangling code. The supplied description says demangle_template_value_parm and do_hpacc_template_literal can trigger an out-of-bounds read and crash when given a crafted binary. NVD rates the issue CVSS 3.0 5.5 (AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H), so the main security impact is denial of service rather than data exposure or code execution.

Vendor
Gnu
Product
Libiberty
CVSS
MEDIUM 5.5
CISA KEV
Not listed in stored evidence
Original CVE published
2017-02-24
Original CVE updated
2026-05-13
Advisory published
2017-02-24
Advisory updated
2026-05-13

Who should care

Teams that ship or use GNU libiberty, especially tools or services that process untrusted binaries and rely on the cplus-dem demangler. Security owners for GCC-derived packages should also verify whether the referenced patch is included.

Technical summary

The NVD record ties the flaw to an out-of-bounds read in demangle_template_value_parm and do_hpacc_template_literal within cplus-dem.c in libiberty, with CWE-125 as the primary weakness. The supplied CVE description notes a crash caused by a crafted binary, and the NVD vector indicates a user-interaction-dependent availability issue.

Defensive priority

Medium. Prioritize if libiberty is exposed to untrusted binary inputs or if crashes in symbol demangling would have operational impact.

Recommended defensive actions

  • Apply the vendor patch referenced in the supplied gcc-patches and Openwall advisory links, or upgrade to a package version that already includes it.
  • Inventory software that embeds or depends on GNU libiberty and identify any paths that parse untrusted binaries.
  • Restrict untrusted input to demangling or binary-inspection components until the patched build is deployed.
  • Treat crashes in cplus-dem parsing as security-relevant and monitor for unexpected failures or core dumps.
  • Verify downstream packages and distributions that bundle libiberty have incorporated the fix.

Evidence notes

The supplied NVD record states that CVE-2016-4493 affects cpe:2.3:a:gnu:libiberty:* and assigns CVSS 3.0 vector AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H with CWE-125. The CVE description explicitly mentions an out-of-bounds read and crash in demangle_template_value_parm and do_hpacc_template_literal in cplus-dem.c. Supporting references in the corpus include an Openwall mailing-list advisory/patch thread, GCC Bugzilla issue 70926, and a gcc-patches post.

Official resources

Published in the CVE/NVD record on 2017-02-24; the supplied advisory and patch references date to 2016-05-05. The 2026-05-13 modification date in the source reflects database updates, not the original issue date.