CVE-2016-5035 Libdwarf Project CVE debrief

Who should care

Developers and maintainers of software that embeds libdwarf or parses DWARF/debug information, plus security teams responsible for tools that accept untrusted or user-supplied files. This matters most where file parsing is exposed to users, uploads, or automated ingestion pipelines.

Technical summary

According to the NVD record, the vulnerable condition is an out-of-bounds read in _dwarf_read_line_table_header within dwarf_line_table_reader.c in libdwarf before 20160923. The issue is mapped to CWE-125 and can be triggered by a crafted file, producing a denial of service rather than documented code execution or data modification. The NVD CVSS vector is AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H, indicating user interaction is required for the vulnerable parsing path.

Defensive priority

Medium

Recommended defensive actions

• Upgrade libdwarf to 20160923 or later, or backport the vendor fix if you ship an older branch.
• Inventory applications, libraries, and build tools that embed or depend on libdwarf.
• Treat untrusted DWARF/debug files as attacker-controlled input and limit where they can be parsed.
• Add regression tests and fuzz coverage for DWARF line table parsing, especially header handling.
• Monitor for parser crashes or abnormal termination in workflows that ingest external files.

Evidence notes

The NVD record identifies CVE-2016-5035 as an out-of-bounds read (CWE-125) in libdwarf before 20160923, with a vulnerable CPE range ending exclusively at 2016-09-23. The CVSS 3.1 vector is AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H. The supplied references include an oss-security mailing-list post tagged as Patch on 2016-05-24, a related oss-security post tagged as Exploit on 2016-05-25, and a third-party advisory at prevanders.net/dwarfbug.html. The CVE was published on 2017-02-17 and later modified on 2026-05-13 in the supplied NVD metadata.

Official resources