PatchSiren

PatchSiren cyber security CVE debrief

CVE-2016-5035 Libdwarf Project CVE debrief

CVE-2016-5035 affects libdwarf’s _dwarf_read_line_table_header function in dwarf_line_table_reader.c. A crafted file can trigger an out-of-bounds read and deny service to applications that parse the file, with NVD rating the issue as medium severity (CVSS 6.5).

Vendor
Libdwarf Project
Product
Libdwarf
CVSS
MEDIUM 6.5
CISA KEV
Not listed in stored evidence
Original CVE published
2017-02-17
Original CVE updated
2026-05-13
Advisory published
2017-02-17
Advisory updated
2026-05-13

Who should care

Developers and maintainers of software that embeds libdwarf or parses DWARF/debug information, plus security teams responsible for tools that accept untrusted or user-supplied files. This matters most where file parsing is exposed to users, uploads, or automated ingestion pipelines.

Technical summary

According to the NVD record, the vulnerable condition is an out-of-bounds read in _dwarf_read_line_table_header within dwarf_line_table_reader.c in libdwarf before 20160923. The issue is mapped to CWE-125 and can be triggered by a crafted file, producing a denial of service rather than documented code execution or data modification. The NVD CVSS vector is AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H, indicating user interaction is required for the vulnerable parsing path.

Defensive priority

Medium

Recommended defensive actions

  • Upgrade libdwarf to 20160923 or later, or backport the vendor fix if you ship an older branch.
  • Inventory applications, libraries, and build tools that embed or depend on libdwarf.
  • Treat untrusted DWARF/debug files as attacker-controlled input and limit where they can be parsed.
  • Add regression tests and fuzz coverage for DWARF line table parsing, especially header handling.
  • Monitor for parser crashes or abnormal termination in workflows that ingest external files.

Evidence notes

The NVD record identifies CVE-2016-5035 as an out-of-bounds read (CWE-125) in libdwarf before 20160923, with a vulnerable CPE range ending exclusively at 2016-09-23. The CVSS 3.1 vector is AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H. The supplied references include an oss-security mailing-list post tagged as Patch on 2016-05-24, a related oss-security post tagged as Exploit on 2016-05-25, and a third-party advisory at prevanders.net/dwarfbug.html. The CVE was published on 2017-02-17 and later modified on 2026-05-13 in the supplied NVD metadata.

Official resources

Publicly recorded in the supplied CVE metadata on 2017-02-17. Related source references in the NVD metadata date to 2016-05-24 and 2016-05-25, but those are advisory discussion dates and not the CVE issue date. NVD metadata was last marked