PatchSiren

PatchSiren cyber security CVE debrief

CVE-2016-8688 Libarchive CVE debrief

CVE-2016-8688 is a denial-of-service flaw in libarchive’s mtree support. When the mtree bidder extends read-ahead without tracking line sizes correctly, crafted archive content can trigger an invalid read in detect_form or bid_entry and crash the process. The NVD record rates this as a medium-severity availability issue and lists affected libarchive 3.2.1 deployments, with distribution advisories and an upstream fix referenced in the record.

Vendor
Libarchive
Product
CVE-2016-8688
CVSS
MEDIUM 5.5
CISA KEV
Not listed in stored evidence
Original CVE published
2017-02-15
Original CVE updated
2026-05-13
Advisory published
2017-02-15
Advisory updated
2026-05-13

Who should care

Security teams, distro maintainers, and application owners that use libarchive or bsdtar to process untrusted archives should care most. This is especially relevant for environments matching the NVD-listed libarchive 3.2.1 CPE and downstream packages that backported or shipped the affected mtree code.

Technical summary

The issue is in archive_read_support_format_mtree.c. According to the record, the mtree bidder does not keep track of line sizes while extending the read-ahead buffer, which can lead to an invalid read during detect_form or bid_entry processing. The NVD weakness mapping is CWE-125 (out-of-bounds read). NVD’s CVSS vector is CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H, so the primary impact is availability and the attack requires user interaction.

Defensive priority

Medium. Prioritize if libarchive parses externally supplied files or if a crash in archive handling would meaningfully disrupt service. Because the NVD vector includes user interaction and local attack conditions, this is usually a stability hardening item unless your workflow routinely opens untrusted archives.

Recommended defensive actions

  • Upgrade or backport the upstream fix referenced in the CVE record and distribution advisories.
  • Check whether your packages map to the NVD-listed vulnerable libarchive 3.2.1 CPE or affected downstream builds such as vendor-packaged libarchive.
  • Treat archive parsing of untrusted input as higher risk and test the patched package in any workflow that handles user-supplied mtree or archive content.
  • Track vendor and distribution advisories referenced in the record for your platform, including openSUSE, Gentoo, and other downstream maintainers.

Evidence notes

This debrief is based on the official NVD CVE record and the CVE.org record, plus the referenced upstream/downstream advisories and patch links in the source corpus. The NVD record states the vulnerability description, CVSS vector, CWE-125 mapping, and vulnerable CPE criteria for libarchive 3.2.1 and openSUSE Leap 42.2. The source corpus also includes an upstream libarchive commit and multiple distro advisories that point to remediation. Note that the prose description says 'remote attackers,' while the NVD CVSS vector specifies AV:L and UI:R; this debrief follows the structured NVD scoring for defensive prioritization.

Official resources

The CVE record was published on 2017-02-15 and later modified on 2026-05-13. The source corpus includes 2016 advisories and patch references that predate the CVE publication date, indicating the issue was discussed and remediated before the