PT-2024-6222 · Libxml2+2 · Libxml2+2

Published

2024-07-05

Updated

2026-05-08

CVE-2024-40896

CVSS v2.0

9.4

Critical

Vector

AV:N/AC:L/Au:N/C:N/I:C/A:C

Name of the Vulnerable Software and Affected Versions libxml2 versions 2.11 through 2.11.8 libxml2 versions 2.12 through 2.12.8 libxml2 versions 2.13 through 2.13.2

Description The issue is related to the SAX parser in libxml2, which can produce events for external entities even if custom SAX handlers try to override entity content. This makes classic XXE attacks possible, allowing a remote attacker to access arbitrary files on the server or perform network scanning of internal and external infrastructure.

Recommendations For libxml2 versions 2.11 through 2.11.8, update to version 2.11.9 or later. For libxml2 versions 2.12 through 2.12.8, update to version 2.12.9 or later. For libxml2 versions 2.13 through 2.13.2, update to version 2.13.3 or later. As a temporary workaround, consider disabling the use of external entities in the SAX parser until a patch is available.

Fix

XXE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-611

Related Identifiers

ALT-PU-2024-16574

ALT-PU-2024-16632

ALT-PU-2025-14872

ALT-PU-2025-3717

AZL-54657

BDU:2024-07164

BIT-JAVA-2024-40896

BIT-JAVA-MIN-2024-40896

BIT-JRE-2024-40896

CVE-2024-40896

OESA-2024-1950

OPENSUSE-SU-2024:14241-1

OPENSUSE-SU-2024:14611-1

OPENSUSE-SU-2025:0024-1

SUSE-SU-2025:20116-1

SUSE-SU-2025:20418-1

USN-7215-1

Affected Products

Alt Linux

Ubuntu

Libxml2

PT-2024-6222 · Libxml2+2 · Libxml2+2

CVE-2024-40896

Weakness Enumeration

Related Identifiers

Affected Products

References · 52