PT-2022-2584 · Libxml2+11 · Libxml2+11
Published
2022-03-08
·
Updated
2026-03-13
·
CVE-2022-29824
CVSS v2.0
7.1
High
| Vector | AV:N/AC:M/Au:N/C:N/I:N/A:C |
Name of the Vulnerable Software and Affected Versions
libxml2 versions prior to 2.9.14
libxslt versions prior to 1.1.35
Description
The issue is related to integer overflows in several buffer handling functions in buf.c (
xmlBuf*) and tree.c (xmlBuffer*) of the libxml2 library. This can result in out-of-bounds memory writes. Exploitation requires a victim to open a crafted, multi-gigabyte XML file, potentially leading to a denial of service condition or arbitrary code execution. Other software using libxml2's buffer functions is also affected.Recommendations
For libxml2 versions prior to 2.9.14, update to version 2.9.14 or later to resolve the issue.
For libxslt versions prior to 1.1.35, update to version 1.1.35 or later to resolve the issue.
As a temporary workaround, consider restricting the use of the vulnerable buffer functions (
xmlBuf* and xmlBuffer*) until a patch is available.
Avoid using the xmlBufAdd function in the affected API endpoints until the issue is resolved.Exploit
Fix
DoS
Integer Overflow
Memory Corruption
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Alt Linux
Astra Linux
Centos
Ibm Aix
Linuxmint
Red Hat
Red Os
Rocky Linux
Suse
Ubuntu
Libxml2
Libxslt