CVE-2016-8680 Libdwarf Project CVE debrief

Who should care

Organizations that ship libdwarf or bundle dwarfdump, especially developers, distro maintainers, and teams that process untrusted DWARF files in build, analysis, or support workflows.

Technical summary

According to the official record, _dwarf_get_abbrev_for_code in dwarf_util.c can read outside valid bounds when dwarfdump is run against a crafted input file. NVD maps the weakness to CWE-125 and lists CVSS v3.1 6.5 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H), indicating a remote, user-interaction-dependent availability impact rather than a confidentiality or integrity compromise. The affected version range in the NVD CPE data ends at libdwarf 20161001.

Defensive priority

Medium

Recommended defensive actions

• Upgrade libdwarf to a fixed version newer than 20161001 or apply the vendor patch referenced in the advisory and source diff links.
• Treat dwarfdump and any libdwarf-based parser as untrusted-file processing code; run it only on trusted inputs when possible.
• If you cannot patch immediately, isolate the tool with sandboxing, least privilege, and tight file-access controls.
• Review build pipelines, QA jobs, and support tooling that automatically open customer-supplied DWARF files.
• Verify downstream packages and container images for embedded libdwarf copies and rebuild after applying fixes.

Evidence notes

The official CVE and NVD records identify libdwarf 20161001 and earlier as affected and describe the issue as an out-of-bounds read in _dwarf_get_abbrev_for_code causing denial of service. NVD lists CWE-125 and CVSS v3.1 6.5 with user interaction required. The supplied reference set includes patch-oriented links from oss-security, a Red Hat bug, and a SourceForge diff; one third-party advisory text uses different wording ('heap-based buffer overflow'), but the official NVD classification is the primary basis used here.

Official resources