CVE-2024-25062

Name of the Vulnerable Software and Affected Versions libxml2 versions 2.11.7 and earlier libxml2 versions 2.12.x through 2.12.4

Description A use-after-free flaw was found in the xmlValidatePopElement() function of the libxml2 library when using the XML Reader interface with DTD validation and XInclude expansion enabled. This issue can be exploited by a remote attacker to cause a denial of service by processing crafted XML documents, potentially leading to a crash. The estimated number of potentially affected devices is not specified.

Recommendations For libxml2 versions 2.11.7 and earlier, update to version 2.11.7 or later. For libxml2 versions 2.12.x through 2.12.4, update to version 2.12.5 or later. As a temporary workaround, consider disabling the xmlValidatePopElement() function when using the XML Reader interface with DTD validation and XInclude expansion enabled until a patch is available. Restrict access to crafted XML documents to minimize the risk of exploitation.