CVE-2017-5835 Libimobiledevice CVE debrief

Who should care

Organizations that ship, embed, or depend on libplist through libimobiledevice should care, especially if their systems process untrusted or attacker-controlled plist content. Security and operations teams should also review any downstream products that bundle the affected library.

Technical summary

NVD describes the flaw as attacker-triggerable denial of service through large memory allocation and crash behavior related to an offset size of zero. The vulnerability is recorded against cpe:2.3:a:libimobiledevice:libplist:*:*:*:*:*:*:*:* and classified as CWE-770. The CVSS vector (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) indicates remote, low-complexity, no-authentication conditions with high availability impact.

Defensive priority

High for environments that accept untrusted input into libplist, because the issue can be triggered remotely without privileges or user interaction and can consume resources until the service crashes.

Recommended defensive actions

• Inventory systems and applications that include or depend on libplist.
• Check whether your deployed libplist package or embedded copy includes a fix for CVE-2017-5835.
• Prioritize patching or upgrading affected packages in internet-facing or parser-heavy services.
• Monitor for abnormal memory growth, crashes, or repeated restarts in processes that parse plist data.
• If immediate patching is not possible, reduce exposure by limiting untrusted plist input paths and isolating the affected component.

Evidence notes

The description, CVSS vector, and CWE mapping come from the NVD record for CVE-2017-5835. The upstream references in the corpus point to libplist-related mailing list discussion and a GitHub issue, which support the resource-exhaustion and crash characterization. The vendor/product mapping in the source corpus uses the libimobiledevice/libplist CPE entry with medium confidence.

Official resources