CVE-2016-9584 Libical Project CVE debrief

Who should care

Organizations that parse or ingest iCalendar (.ics) files with libical, especially products or services that process untrusted calendar data, should treat this as a high-priority memory-safety issue.

Technical summary

NVD classifies the weakness as CWE-416 (Use After Free) and assigns CVSS 3.0 9.1/CRITICAL with AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H. The vulnerable CPE scope in the record covers libical versions up to and including 2.0. The public description says a crafted ICS file can trigger denial of service and may expose heap memory.

Defensive priority

High. This is a remotely triggerable memory-corruption issue with both availability and confidentiality impact in the NVD record, so patching or replacing vulnerable libical builds should be prioritized wherever untrusted calendar input is processed.

Recommended defensive actions

• Upgrade libical to a version that is not covered by the vulnerable NVD range (the record lists versions up to and including 2.0).
• Inventory applications, libraries, appliances, and services that bundle or link against libical, including indirect dependencies.
• Restrict or validate ingestion of untrusted .ics files until remediation is complete.
• Monitor for crashes or anomalous behavior in calendar parsing paths, especially where user-supplied ICS content is accepted.
• Use vendor advisories and the NVD entry to confirm the fixed version for each downstream package or distribution build.

Evidence notes

This debrief is based only on the supplied NVD record and linked references. The NVD entry describes a libical use-after-free leading to DoS and possible heap memory disclosure, classifies it as CWE-416, assigns CVSS 3.0 9.1/CRITICAL, and lists affected versions through 2.0. The record also includes references to an oss-security mailing list post dated 2016-12-15 and a SecurityFocus BID entry.

Official resources