CVE-2016-1837

Name of the Vulnerable Software and Affected Versions libxml2 versions prior to 2.9.4 Apple iOS versions prior to 9.3.2 OS X versions prior to 10.11.5 tvOS versions prior to 9.2.1 watchOS versions prior to 2.2.1

Description The issue is caused by multiple use-after-free vulnerabilities in the htmlParsePubidLiteral and htmlParseSystemiteral functions in libxml2. This allows remote attackers to cause a denial of service via a crafted XML document. Additionally, the vulnerability can be exploited to execute arbitrary code or cause a denial of service due to a buffer overflow, by using a specially formed XML document.

Recommendations For libxml2 versions prior to 2.9.4, update to version 2.9.4 or later. For Apple iOS versions prior to 9.3.2, update to version 9.3.2 or later. For OS X versions prior to 10.11.5, update to version 10.11.5 or later. For tvOS versions prior to 9.2.1, update to version 9.2.1 or later. For watchOS versions prior to 2.2.1, update to version 2.2.1 or later. As a temporary workaround, consider restricting the use of libxml2 until a patch is available. Avoid using the htmlParsePubidLiteral and htmlParseSystemiteral functions in the affected API endpoints until the issue is resolved.