PT-2015-3255 · Xmlsoft+5 · Libxml2+5

Kostya Serebryany

Published

2015-11-20

Updated

2026-03-13

CVE-2015-7499

CVSS v2.0

5.0

Medium

Vector

AV:N/AC:L/Au:N/C:P/I:N/A:N

Name of the Vulnerable Software and Affected Versions libxml2 versions prior to 2.9.3

Description The issue is a heap-based buffer overflow in the xmlGROW function in parser.c in libxml2. This allows context-dependent attackers to obtain sensitive process memory information via unspecified vectors. A remote attacker could provide a specially crafted XML or HTML file that, when processed by an application using libxml2, would cause that application to use an excessive amount of CPU, leak potentially sensitive information, or crash the application.

Recommendations For versions prior to 2.9.3, update to version 2.9.3 or later to resolve the issue. As a temporary workaround, consider restricting the use of the xmlGROW function in parser.c to minimize the risk of exploitation. Avoid processing untrusted or specially crafted XML or HTML files with libxml2 until the issue is resolved.

Exploit

Fix

Buffer Overflow

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-119

Related Identifiers

ALT-PU-2015-2016

BDU:2016-01644

CESA-2015_2549

CESA-2015_2550

CVE-2015-7499

DLA-373-1

DSA-3430-1

GHSA-JXJR-5H69-QW3W

MGASA-2015-0457

OPENSUSE-SU-2024:10192-1

OPENSUSE-SU-2024:10549-1

OPENSUSE-SU-2024:11340-1

OPENSUSE-SU-2024:11912-1

OPENSUSE-SU-2024:13165-1

OPENSUSE-SU-2024:14174-1

OPENSUSE-SU-2025:14697-1

OPENSUSE-SU-2026:10356-1

RHSA-2015:2549

RHSA-2015:2550

RHSA-2015_2549

RHSA-2015_2550

SUSE-SU-2016:0030-1

SUSE-SU-2016:0049-1

SUSE-SU-2016:0786-1

USN-2834-1

USN-2875-1

Affected Products

Alt Linux

Centos

Red Hat

Suse

Ubuntu

Libxml2

PT-2015-3255 · Xmlsoft+5 · Libxml2+5

CVE-2015-7499

Weakness Enumeration

Related Identifiers

Affected Products

References · 152