CVE-2016-5029 Libdwarf Project CVE debrief

Who should care

Teams that ship or embed libdwarf, especially applications, services, or tools that parse untrusted DWARF files. Security and platform owners should also care if any downstream package still includes a libdwarf build earlier than 20160923.

Technical summary

The vulnerable condition is a NULL pointer dereference in libdwarf's create_fullest_file_path function. According to NVD, affected versions are those before 20160923, and the issue is reachable through a crafted DWARF file. NVD maps the weakness to CWE-476 and scores it CVSS 3.1: AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H.

Defensive priority

Medium

Recommended defensive actions

• Upgrade libdwarf to 20160923 or later, or to a vendor package that explicitly includes that fix.
• Inventory products and build artifacts that bundle libdwarf, since downstream copies may remain vulnerable even if the upstream project has been fixed.
• Treat untrusted DWARF files as hostile input and limit where parsing occurs, especially in exposed or user-facing workflows.
• If immediate upgrading is not possible, reduce exposure by restricting who can supply DWARF files and by isolating parsers that process them.
• Add crash monitoring for DWARF-processing components so NULL dereference failures are detected quickly.

Evidence notes

Source evidence is consistent across NVD and the linked advisories: the affected component is libdwarf before 20160923, the faulty path is create_fullest_file_path, and the impact is denial of service via NULL pointer dereference. NVD lists the weakness as CWE-476 and the CVSS vector as CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H. The advisory references include an Openwall oss-security patch notice dated 2016-05-24, a related follow-up dated 2016-05-25, and a prevanders.net advisory page.

Official resources