CVE-2016-5040 Libdwarf Project CVE debrief

Who should care

Teams that bundle or embed libdwarf, especially products that parse DWARF data from untrusted or externally supplied files. Security, release engineering, and dependency-management owners should verify whether any shipped build includes a vulnerable libdwarf version.

Technical summary

The vulnerability is tracked as CWE-125 (Out-of-bounds Read). According to the NVD record, a remote attacker can supply input that causes libdwarf to process a compilation unit header containing a large length value, leading to an out-of-bounds read and crash. The vulnerable version range in the NVD CPE criteria ends before 2016-09-23.

Defensive priority

High

Recommended defensive actions

• Determine whether any products or builds include libdwarf versions earlier than 2016-09-23.
• Upgrade to a non-vulnerable libdwarf release that includes the fix.
• If immediate upgrading is not possible, reduce exposure by limiting ingestion of untrusted DWARF-containing files and monitoring for crashes in components that parse them.
• Add this CVE to dependency inventories and patch validation checks for affected releases.

Evidence notes

The NVD CVE record lists CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H and CWE-125. Its CPE criteria mark libdwarf versions before 2016-09-23 as vulnerable. Reference links include an oss-security patch mailing list post from 2016-05-24, a follow-up oss-security exploit-related post from 2016-05-25, and a third-party advisory/VDB entry at prevanders.net. The CVE record itself was published on 2017-02-17.

Official resources