Non-Deterministic Value Generation in libxml2 Affects Multiple Applications
CVE-2023-29469

6.5MEDIUM

Key Information:

Vendor: Xmlsoft
Status: Libxml2
Vendor: CVE Published:; 24 April 2023

What is CVE-2023-29469?

A vulnerability in libxml2, present in versions prior to 2.10.4, arises during the handling of empty dictionary strings in XML documents. The function xmlDictComputeFastKey can yield unexpected non-deterministic values due to improper attempts to process the first byte of an empty string. This leads to potential logic and memory errors, including issues such as double free, because any value can be generated instead of a standard null terminator ('\0'). Developers are encouraged to update to the latest release to mitigate associated risks.

References

https://gitlab.gnome.org/GNOME/libxml2/-/issues/510

https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.10.4

https://lists.debian.org/debian-lts-announce/2023/04/msg0...

mailing-list

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 24, 2023
Vulnerability Reserved
Apr 6, 2023

Xmlsoft

What is CVE-2023-29469?

References

CVSS V3.1

Timeline