PatchSiren

PatchSiren cyber security CVE debrief

CVE-2017-5836 Libimobiledevice CVE debrief

CVE-2017-5836 is a high-severity memory-management flaw in libplist that can cause a crash. The issue is described as an invalid free in plist_free_data when an integer node is treated as a PLIST_KEY. For defenders, the main concern is service availability rather than data theft or code execution.

Vendor
Libimobiledevice
Product
Libplist
CVSS
HIGH 7.5
CISA KEV
Not listed in stored evidence
Original CVE published
2017-03-03
Original CVE updated
2026-05-13
Advisory published
2017-03-03
Advisory updated
2026-05-13

Who should care

Administrators and developers who ship or embed libplist, especially software that parses untrusted plist data. Security teams should care most where a crash would interrupt automation, device-management workflows, or other availability-sensitive services.

Technical summary

NVD classifies the issue as CWE-415 and assigns CVSS 3.0 vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. The vulnerability description states that plist_free_data in plist.c can mis-handle an integer node as PLIST_KEY, leading to an invalid free and denial of service. The referenced ecosystem includes libplist under the libimobiledevice project.

Defensive priority

High. The published score and vector indicate a remotely reachable, unauthenticated availability impact with no confidentiality or integrity impact. Prioritize if libplist processes attacker-influenced input or supports exposed services.

Recommended defensive actions

  • Identify whether your software links against libplist or bundles it indirectly through libimobiledevice components.
  • Upgrade to a libplist release that includes the fix, using the vendor or project references attached to the CVE record as the starting point.
  • If immediate upgrading is not possible, reduce exposure by limiting who can submit plist content and by isolating the parsing component.
  • Monitor for unexpected crashes or restart loops in services that parse plist inputs.
  • Validate any downstream packages or vendor images, since affected use may come from transitive dependencies rather than a direct install.

Evidence notes

The CVE description supplied in the NVD record attributes the crash to plist_free_data in plist.c, where an integer node is treated as PLIST_KEY and triggers an invalid free. NVD lists CWE-415 and the CVSS 3.0 vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, supporting a network-reachable availability issue. The record references two oss-security mailing list posts and the libplist issue tracker entry, indicating a patch and issue-tracking trail in the upstream ecosystem. The CVE was published on 2017-03-03 and the NVD record was later modified on 2026-05-13; that later date reflects record maintenance, not the original vulnerability date.

Official resources

Publicly disclosed and published in the CVE/NVD record on 2017-03-03. The NVD entry was modified later on 2026-05-13, which is record maintenance rather than the original disclosure date.