PatchSiren cyber security CVE debrief

CVE-2017-5836 Libimobiledevice CVE debrief

CVE-2017-5836 is a high-severity memory-management flaw in libplist that can cause a crash. The issue is described as an invalid free in plist_free_data when an integer node is treated as a PLIST_KEY. For defenders, the main concern is service availability rather than data theft or code execution.

Vendor: Libimobiledevice
Product: CVE-2017-5836
CVSS: HIGH 7.5
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-03-03
Original CVE updated: 2026-05-13
Advisory published: 2017-03-03
Advisory updated: 2026-05-13

Who should care

Administrators and developers who ship or embed libplist, especially software that parses untrusted plist data. Security teams should care most where a crash would interrupt automation, device-management workflows, or other availability-sensitive services.

Technical summary

NVD classifies the issue as CWE-415 and assigns CVSS 3.0 vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. The vulnerability description states that plist_free_data in plist.c can mis-handle an integer node as PLIST_KEY, leading to an invalid free and denial of service. The referenced ecosystem includes libplist under the libimobiledevice project.

Defensive priority

High. The published score and vector indicate a remotely reachable, unauthenticated availability impact with no confidentiality or integrity impact. Prioritize if libplist processes attacker-influenced input or supports exposed services.

Recommended defensive actions

Identify whether your software links against libplist or bundles it indirectly through libimobiledevice components.
Upgrade to a libplist release that includes the fix, using the vendor or project references attached to the CVE record as the starting point.
If immediate upgrading is not possible, reduce exposure by limiting who can submit plist content and by isolating the parsing component.
Monitor for unexpected crashes or restart loops in services that parse plist inputs.
Validate any downstream packages or vendor images, since affected use may come from transitive dependencies rather than a direct install.

Evidence notes

The CVE description supplied in the NVD record attributes the crash to plist_free_data in plist.c, where an integer node is treated as PLIST_KEY and triggers an invalid free. NVD lists CWE-415 and the CVSS 3.0 vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, supporting a network-reachable availability issue. The record references two oss-security mailing list posts and the libplist issue tracker entry, indicating a patch and issue-tracking trail in the upstream ecosystem. The CVE was published on 2017-03-03 and the NVD record was later modified on 2026-05-13; that later date reflects record maintenance, not the original vulnerability date.

Official resources

CVE-2017-5836 CVE record
CVE.org
CVE-2017-5836 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Mailing List, Patch, Third Party Advisory
Mitigation or vendor reference
[email protected] - Mailing List, Patch, Third Party Advisory
Source reference
[email protected]
Mitigation or vendor reference
[email protected] - Issue Tracking, Patch, Third Party Advisory

Publicly disclosed and published in the CVE/NVD record on 2017-03-03. The NVD entry was modified later on 2026-05-13, which is record maintenance rather than the original disclosure date.