PatchSiren cyber security CVE debrief

CVE-2016-5827 Libical Project CVE debrief

CVE-2016-5827 is a remotely reachable denial-of-service vulnerability in libical’s time-string parsing path. According to NVD, crafted input passed to icalparser_parse_string can trigger an out-of-bounds heap read in icaltime_from_string, affecting libical 0.47 and 1.0.0. The published CVSS v3.1 score is 7.5 (HIGH), with network attack, no privileges, and no user interaction required, making exposure dependent mainly on whether an application accepts untrusted calendar data.

Vendor: Libical Project
Product: CVE-2016-5827
CVSS: HIGH 7.5
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-01-27
Original CVE updated: 2026-05-13
Advisory published: 2017-01-27
Advisory updated: 2026-05-13

Who should care

Organizations and products that embed libical and parse calendar content from untrusted or externally supplied sources should care most, especially server-side services, mail/calendar gateways, and applications that expose libical-based parsing to remote input.

Technical summary

NVD classifies the issue as CWE-125 (out-of-bounds read). The vulnerable path is described as icaltime_from_string being reached through icalparser_parse_string, where crafted input can cause a heap read outside bounds and crash the process or otherwise deny service. The NVD record lists libical 0.47 and 1.0.0 as vulnerable CPEs and rates the issue CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H.

Defensive priority

High. The issue is network-exploitable, requires no authentication, and can directly affect service availability. Prioritize if libical is reachable from external or semi-trusted input paths.

Recommended defensive actions

Inventory applications and services that ship or link against libical, especially versions matching 0.47 or 1.0.0.
Reduce exposure of any libical parsing endpoint to untrusted input until patched or replaced.
Apply vendor or downstream updates that remove the vulnerable libical version once available.
Add monitoring for crashes or abnormal terminations in services that parse calendar strings.
Use input validation and isolation controls around calendar parsing to limit blast radius if malformed data is received.

Evidence notes

The NVD record states that icaltime_from_string in libical 0.47 and 1.0 allows remote attackers to cause a denial of service via a crafted string to icalparser_parse_string, and maps the weakness to CWE-125. The NVD CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, supporting high availability impact with no privileges or user interaction. The CVE record and NVD detail pages are the primary official references in the supplied corpus, with additional third-party references preserved in the CVE metadata.

Official resources

CVE-2016-5827 CVE record
CVE.org
CVE-2016-5827 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Mailing List, Third Party Advisory
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry
Source reference
[email protected] - Issue Tracking

The CVE was published on 2017-01-27T22:59:00.710Z and later modified on 2026-05-13T00:24:29.033Z in the supplied record. The metadata also preserves older third-party references associated with the issue.