Null Pointer Dereference in libxml2 Affects Multiple Applications
CVE-2018-14404

7.5HIGH

Key Information:

Vendor
Canonical
Status
Ubuntu Linux
Debian Linux
Vendor
CVE Published:
19 July 2018

Summary

A NULL pointer dereference vulnerability is present in the xpath.c:xmlXPathCompOpEval() function of the libxml2 library, specifically impacting versions up to 2.9.8. This flaw occurs when the library processes invalid XPath expressions in the XPATH_OP_AND or XPATH_OP_OR scenarios. Applications that utilize libxml2 for managing untrusted XSL format inputs may experience a denial of service, potentially resulting in application crashes. This vulnerability emphasizes the importance of validating input data to prevent unexpected behavior during XPath evaluation.

References

https://lists.debian.org/debian-lts-announce/2018/09/msg0...
mailing-listx_refsource_MLIST
https://gitlab.gnome.org/GNOME/libxml2/issues/10
x_refsource_MISC
https://usn.ubuntu.com/3739-1/
vendor-advisoryx_refsource_UBUNTU

EPSS Score

23% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.