CVE-2016-9558 Libdwarf Project CVE debrief

Who should care

Security teams, distro/package maintainers, and application owners that ship or embed libdwarf, especially software that processes untrusted binaries, debug symbols, crash dumps, or other DWARF-containing files.

Technical summary

The vulnerability is a signed LEB128 negation overflow affecting libdwarf’s dwarf_leb.c and dwarfdump/print_frames.c. The issue is classified by NVD as CWE-190 (integer overflow or wraparound). The affected version range in NVD ends before 2016-11-24. The published references include mailing list advisories and a vendor-linked fix discussion, which align with the library patch timeline in late 2016.

Defensive priority

Critical. NVD assigns a 9.8 severity with no privileges and no user interaction required in its vector, and the flaw affects core parsing logic in a library commonly used to inspect external data.

Recommended defensive actions

• Upgrade libdwarf to a version released on or after 2016-11-24.
• Inventory products and build outputs that bundle or statically link libdwarf, then verify the patched version is actually in use at runtime.
• Treat untrusted DWARF-bearing files as high-risk inputs until affected deployments are patched.
• If immediate upgrade is not possible, reduce exposure by limiting which systems can ingest external debug data and by isolating parsing workloads.
• Validate vendor backports or downstream packages rather than relying only on upstream version labels.

Evidence notes

This debrief is based on the NVD CVE record and the references embedded in the CVE metadata. The core facts are: libdwarf before 2016-11-24 is vulnerable; the affected code paths are dwarf_leb.c and dwarfdump/print_frames.c; the weakness is described as a negation overflow in a signed LEB number; and NVD classifies it as CWE-190 with CVSS 3.1 9.8. The referenced advisory dates in November 2016 support the patch timeline, while the CVE publication date is 2017-02-28.

Official resources