CVE-2016-9828 Libming CVE debrief

Who should care

Administrators, developers, and security teams that use libming or the listswf utility to inspect or process SWF files, especially in workflows where untrusted files may be opened.

Technical summary

NVD identifies a NULL pointer dereference (CWE-476) in dumpBuffer within read.c in libming’s listswf tool. The published vector is CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H, indicating availability impact only and a user interaction requirement. The vulnerable scope in NVD covers libming through version 0.4.7.

Defensive priority

Medium — prioritize if your environment processes untrusted SWF files or still uses libming 0.4.7 or earlier. The main risk is application crash and service interruption.

Recommended defensive actions

• Upgrade libming to a fixed version if one is available in your distribution or vendor package.
• Remove or disable listswf in environments that do not need it.
• Treat SWF files as untrusted input and process them in a restricted, sandboxed environment.
• Add file-type and integrity checks before opening SWF content in automated pipelines.
• Monitor for crashes or abnormal exits in tooling that invokes listswf.

Evidence notes

NVD lists the weakness as CWE-476 and the CVSS v3.0 vector AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H. The NVD record and referenced Gentoo blog post describe a NULL pointer dereference in dumpBuffer/read.c in libming’s listswf tool, and the NVD CPE criteria cover libming through 0.4.7. Related references include Openwall oss-security posts and SecurityFocus BID 94627.

Official resources