#VU68829 Resource management error in Libxml2 - CVE-2022-40304


| Updated: 2023-02-08

Vulnerability identifier: #VU68829

Vulnerability risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2022-40304

CWE-ID: CWE-399

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Libxml2
Universal components / Libraries / Libraries used by multiple products

Vendor: Gnome Development Team

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists in entities.c due to the way libxml2 handles reference cycles. The library does not anticipate that entity content can be allocated from a dict and clears it upon reference cycle detection by setting its first byte to zero. This can lead to memory corruption  issues, such as double free errors and result in a denial of service.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Libxml2: 2.0.0 - 2.10.2

External links
https://gitlab.gnome.org/GNOME/libxml2/-/commit/644a89e080bced793295f61f18aac8cfad6bece2
https://aix.software.ibm.com/aix/efixes/security/libxml2_advisory4.asc

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Multiple vulnerabilities in HPE Brocade Fabric OS
Multiple vulnerabilities in Dell ObjectScale
Amazon Linux AMI update for xmlsec1
Amazon Linux AMI update for libxml2
Multiple vulnerabilities in Dell Data Lakehouse System Software
Multiple vulnerabilities in Siemens Telecontrol Server Basic
Multiple vulnerabilities in Netcool Operations Insight
Multiple vulnerabilities in IBM QRadar SIEM
Multiple vulnerabilities in Red Hat OpenShift GitOps
Multiple vulnerabilities in Red Hat OpenShift GitOps