Login Sign Up

CVE-2017-9433

9.8 CRITICAL
Remote Code Execution Buffer Overflow

📋 TL;DR

CVE-2017-9433 is a critical heap-based buffer overflow vulnerability in libmwaw, a library for parsing legacy Microsoft Word documents. Exploitation allows arbitrary code execution with the privileges of the application using the library. Affected systems include any software that uses vulnerable versions of libmwaw to process untrusted Word documents.

💻 Affected Systems

Products:
  • libmwaw
  • software using libmwaw (like LibreOffice, AbiWord)
Versions: All versions before 2017-04-08
Operating Systems: Linux, Windows, macOS, Unix-like systems
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerability triggers when parsing specially crafted Microsoft Word documents.

📦 What is this software?

Libmwaw by Libmwaw Project

View all CVEs affecting Libmwaw →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or ransomware deployment.

🟠

Likely Case

Arbitrary code execution when processing malicious Word documents, potentially leading to malware installation or data exfiltration.

🟢

If Mitigated

Limited impact if proper input validation and memory protections are enabled, potentially causing only application crashes.

🌐 Internet-Facing: HIGH - Any service accepting Word document uploads could be exploited remotely.
🏢 Internal Only: MEDIUM - Internal users could exploit via malicious documents, but requires user interaction.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Proof-of-concept available via OSS-Fuzz. Exploitation requires user to open malicious document.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: libmwaw version from 2017-04-08 or later

Vendor Advisory: https://sourceforge.net/p/libmwaw/libmwaw/ci/68b3b74569881248bfb6cbb4266177cc253b292f/

Restart Required: Yes

Instructions:

1. Update libmwaw to version from 2017-04-08 or later. 2. Update dependent applications. 3. Restart affected services.

🔧 Temporary Workarounds

Disable libmwaw document processing

all

Configure applications to not use libmwaw for parsing Word documents

Application-specific configuration required

Enable ASLR and DEP

linux/windows

Use operating system memory protection features

sudo sysctl -w kernel.randomize_va_space=2
Enable DEP in Windows security settings

🧯 If You Can't Patch

  • Block Word document uploads/processing at network perimeter
  • Implement application whitelisting to prevent unauthorized code execution

🔍 How to Verify

Check if Vulnerable:

Check libmwaw version: dpkg -l | grep libmwaw or rpm -qa | grep libmwaw

Check Version:

dpkg -l | grep libmwaw  # Debian/Ubuntu
rpm -qa | grep libmwaw  # RHEL/CentOS
pkg info libmwaw  # FreeBSD

Verify Fix Applied:

Verify version is from 2017-04-08 or later: libmwaw --version

📡 Detection & Monitoring

Log Indicators:

  • Application crashes when processing Word documents
  • Memory access violation errors

Network Indicators:

  • Unusual outbound connections after document processing
  • Document uploads to vulnerable services

SIEM Query:

source="application.log" AND ("segmentation fault" OR "buffer overflow") AND "libmwaw"

📊 Metadata

CVE ID: CVE-2017-9433
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-119
Published: June 5, 2017
Last Updated: April 20, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2017-9433, you might also want to check these:

CVE-2024-23613 10.0

A critical buffer overflow vulnerability in Symantec Deployment Solution 7.9 allows remote, unauthen...

Same vulnerability type (CWE-119)
CVE-2024-23615 10.0

A critical buffer overflow vulnerability in Symantec Messaging Gateway allows remote unauthenticated...

Same vulnerability type (CWE-119)
CVE-2026-2776 10.0

This CVE describes a sandbox escape vulnerability in Firefox's Telemetry component due to incorrect ...

Same vulnerability type (CWE-119)