PatchSiren cyber security CVE debrief

CVE-2017-5545 Libimobiledevice CVE debrief

CVE-2017-5545 is a critical out-of-bounds read in libplist’s plistutil.c main function, affecting libplist through version 1.12. According to NVD and the CVE record, too-short Apple Property List input can trigger a buffer over-read, which may disclose sensitive process memory or crash the affected process. The CVE was published on 2017-01-21; the 2026 modification date reflects record updates, not the original issue date.

Vendor: Libimobiledevice
Product: CVE-2017-5545
CVSS: CRITICAL 9.1
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-01-21
Original CVE updated: 2026-05-13
Advisory published: 2017-01-21
Advisory updated: 2026-05-13

Who should care

Administrators, package maintainers, and developers who ship or embed libplist/libimobiledevice components should care, especially if their software parses Apple Property List data from untrusted sources or accepts externally supplied plist files.

Technical summary

The weakness is classified as CWE-125 (out-of-bounds read). NVD describes the flaw as a buffer over-read in plistutil.c, where Apple Property List data that is too short can cause the parser to read past the intended buffer boundary. NVD rates the issue CVSS 3.0 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H), indicating a severe impact profile with potential confidentiality and availability effects.

Defensive priority

High. This is a critical memory-safety issue in a parsing path, and the reported impact includes both information disclosure and denial of service. Prioritize patching any deployment that processes untrusted plist data or ships affected libplist versions.

Recommended defensive actions

Upgrade libplist to a version that includes the upstream fix and backport the patch if you cannot upgrade immediately.
Apply the upstream fix referenced in the libplist commit linked from the CVE record.
Inventory products and packages that depend on libplist and confirm whether they vendor or statically link the affected code.
Treat all Apple Property List inputs as untrusted and reject malformed or unexpectedly short data before parsing.
Monitor distro/vendor advisories and re-deploy updated packages where libplist is provided by the operating system.

Evidence notes

Source evidence consistently identifies libplist through 1.12 as vulnerable and ties the issue to a too-short Apple Property List input causing a buffer over-read in plistutil.c. The CVE record and NVD entry provide the vulnerability class (CWE-125), severity metrics, and affected version range. The upstream GitHub issue and commit referenced in the CVE metadata indicate a patch exists. The CVE was published on 2017-01-21; the later modified date is a metadata update.

Official resources

CVE-2017-5545 CVE record
CVE.org
CVE-2017-5545 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry
Mitigation or vendor reference
[email protected] - Issue Tracking, Patch, Third Party Advisory
Mitigation or vendor reference
[email protected] - Issue Tracking, Patch, Third Party Advisory
Source reference
[email protected]

Publicly disclosed; CVE published on 2017-01-21.