PatchSiren cyber security CVE debrief

CVE-2016-5028 Libdwarf Project CVE debrief

CVE-2016-5028 is a denial-of-service vulnerability in libdwarf before 20160923. According to the NVD record, the issue is a NULL pointer dereference in print_frame_inst_bytes that can be triggered by an object file with empty bss-like sections. The impact is availability-only, with CVSS 3.1 scoring showing Network attack vector, low attack complexity, no privileges required, user interaction required, and high availability impact.

Vendor: Libdwarf Project
Product: CVE-2016-5028
CVSS: MEDIUM 6.5
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-02-17
Original CVE updated: 2026-05-13
Advisory published: 2017-02-17
Advisory updated: 2026-05-13

Who should care

Organizations that build, distribute, or embed libdwarf, especially tools that parse or inspect object files and DWARF data. Security teams that ingest untrusted binaries, and downstream package maintainers for affected libdwarf versions, should prioritize checking whether the vulnerable code is present in their software supply chain.

Technical summary

NVD describes the flaw as a NULL pointer dereference in libdwarf's print_frame_inst_bytes function. The affected version range in the NVD CPE criteria is from the product's early releases through before 2016-09-23. The documented trigger is an object file containing empty bss-like sections. The primary weakness mapping is CWE-476 (NULL Pointer Dereference).

Defensive priority

Medium. This is an availability issue rather than a code-execution or data-exposure flaw, but it is remotely triggerable through crafted input and can crash applications that process affected files.

Recommended defensive actions

Confirm whether any shipped or embedded libdwarf builds are earlier than 20160923.
Upgrade libdwarf to a version at or after 20160923, or apply the vendor-referenced fix if backporting is required.
Identify applications and services that parse untrusted object files and ensure they use the patched library version.
Add crash monitoring and file-ingest validation around object-file processing paths that rely on libdwarf.
If immediate upgrading is not possible, restrict exposure by limiting who can submit files to affected workflows.

Evidence notes

The vulnerability description, version boundary, and CWE are taken from the official NVD record. The CVSS vector provided by NVD is CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H, indicating a user-interaction-dependent availability impact. The NVD reference list includes an OSS-security mailing list patch reference dated 2016-05-24 and a related entry dated 2016-05-25, plus a third-party advisory at prevanders.net. CVE publication time is 2017-02-17; later modification metadata should not be interpreted as the issue date.

Official resources

CVE-2016-5028 CVE record
CVE.org
CVE-2016-5028 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Mailing List, Patch, Third Party Advisory
Mitigation or vendor reference
[email protected] - Exploit, Mailing List, Third Party Advisory
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry

CVE published by 2017-02-17; NVD references point to May 2016 mailing-list discussion and related advisory material. Use the published CVE date for vulnerability timeline context, not the later NVD modification timestamp.