Null Pointer Dereference in libxml2 Affects Multiple Applications
CVE-2018-14404

7.5HIGH

Key Information:

Vendor: Canonical
Status: Ubuntu Linux; Debian Linux
Vendor: CVE Published:; 19 July 2018

What is CVE-2018-14404?

A NULL pointer dereference vulnerability is present in the xpath.c:xmlXPathCompOpEval() function of the libxml2 library, specifically impacting versions up to 2.9.8. This flaw occurs when the library processes invalid XPath expressions in the XPATH_OP_AND or XPATH_OP_OR scenarios. Applications that utilize libxml2 for managing untrusted XSL format inputs may experience a denial of service, potentially resulting in application crashes. This vulnerability emphasizes the importance of validating input data to prevent unexpected behavior during XPath evaluation.

References

https://lists.debian.org/debian-lts-announce/2018/09/msg0...

mailing-listx_refsource_MLIST

https://gitlab.gnome.org/GNOME/libxml2/issues/10

x_refsource_MISC

https://usn.ubuntu.com/3739-1/

vendor-advisoryx_refsource_UBUNTU

EPSS Score

23% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 19, 2018
Vulnerability Reserved
Jul 19, 2018

Canonical

What is CVE-2018-14404?

References

EPSS Score

CVSS V3.1

Timeline