CVE-2022-40304

CVSS v2.0

8.5

High

Vector

AV:N/AC:L/Au:N/C:N/I:P/A:C

Name of the Vulnerable Software and Affected Versions libxml2 versions prior to 2.10.3

Description An issue was discovered in libxml2 where certain invalid XML entity definitions can corrupt a hash table key, potentially leading to subsequent logic errors. In one case, a double-free can be provoked, which may allow a remote attacker to cause a denial of service. The vulnerability is related to the handling of objects with a dict structure, where the value of the first byte is zero. This issue can be exploited by a remote attacker to cause a denial of service.

Recommendations For libxml2 versions prior to 2.10.3, update to version 2.10.3 or later to resolve the issue. As a temporary workaround, consider restricting the use of the XML PARSE HUGE function to minimize the risk of exploitation. Additionally, avoid using specially-crafted files that could provoke the double-free error until the issue is resolved.

Fix

DoS

Integer Overflow

Double Free

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-190CWE-399CWE-415

Related Identifiers

ALSA-2023:0173

ALSA-2023:0338

ALT-PU-2022-2865

ALT-PU-2022-3377

ALT-PU-2023-1172

ALT-PU-2023-1234

AZL-11500

BDU:2022-06700

BDU:2022-06701

CESA-2023_0173

CVE-2022-40304

DLA-3172-1

DSA-5271-1

MGASA-2022-0412

OESA-2022-2080

OESA-2022-2081

OESA-2022-2082

OPENSUSE-SU-2022_3692-1

OPENSUSE-SU-2022_3871-1

OPENSUSE-SU-2024:12419-1

RHSA-2023:0173

RHSA-2023:0338

RHSA-2023_0173

RHSA-2023_0338

RHSA-2024:0413

RLSA-2023:0173

RLSA-2023:0338

SUSE-SU-2022:3692-1

SUSE-SU-2022:3717-1

SUSE-SU-2022:3871-1

USN-5760-1

USN-5760-2

Affected Products

Alt Linux

Almalinux

Astra Linux

Centos

Ibm Aix

Linuxmint

Apple Macos

Red Hat

Red Os

Rocky Linux

Suse

Ubuntu

Libxml2

CVE-2022-40304

Weakness Enumeration

Related Identifiers

Affected Products

References · 114