Buffer Overflow Vulnerability in libxml2 Affects GNOME Products
CVE-2022-29824

6.5MEDIUM

Key Information:

Vendor

Xmlsoft

Status
Libxml2
Libxslt
Vendor
CVE Published:
3 May 2022

What is CVE-2022-29824?

In libxml2 versions prior to 2.9.14, several buffer handling functions in buf.c and tree.c do not properly validate input lengths, leading to potential out-of-bounds memory writes. Maliciously crafted multi-gigabyte XML files can exploit this vulnerability if opened by a user. Other software reliant on libxml2, such as libxslt up to version 1.1.35, is also susceptible to similar attacks, prompting a need for immediate updates to prevent exploitation.

References

https://gitlab.gnome.org/GNOME/libxslt/-/tags
https://lists.fedoraproject.org/archives/list/package-ann...
vendor-advisory
https://lists.fedoraproject.org/archives/list/package-ann...
vendor-advisory

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.