cbcvebase.
CVE-2008-3529
published 2008-09-12

CVE-2008-3529: Heap-based buffer overflow in the xmlParseAttValueComplex function in parser.c in libxml2 before 2.7.0 allows context-dependent attackers to cause a denial of…

PriorityP263critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
23.37%
97.5th percentile
Heap-based buffer overflow in the xmlParseAttValueComplex function in parser.c in libxml2 before 2.7.0 allows context-dependent attackers to cause a denial of service (crash) or execute arbitrary code via a long XML entity name.

Affected

20 ranges
VendorProductVersion rangeFixed in
appleiphone_os< 3.03.0
applemac_os_x< 10.5.710.5.7
applemac_os_x
applesafari< 4.04.0
applesafari>= 3.2.0 < 3.2.33.2.3
canonicalubuntu_linux
canonicalubuntu_linux
canonicalubuntu_linux
canonicalubuntu_linux
canonicalubuntu_linux
canonicalubuntu_linux
debiandebian_linux
debianlibxml2< libxml2 2.6.32.dfsg-4 (bookworm)libxml2 2.6.32.dfsg-4 (bookworm)
vmwareesxi
vmwarevmware_workstation
xmlsoftlibxml2< 2.7.02.7.0
xmlsoftlibxml2>= 0 < 2.6.32.dfsg-42.6.32.dfsg-4
xmlsoftlibxml2>= 0 < 2.6.32.dfsg-42.6.32.dfsg-4
xmlsoftlibxml2>= 0 < 2.6.32.dfsg-42.6.32.dfsg-4
xmlsoftlibxml2>= 0 < 2.6.32.dfsg-42.6.32.dfsg-4

Detection & IOCsextracted from sources · hover to see the quote

urlhttps://bugzilla.redhat.com/attachment.cgi?id=315480
path/System/Library/Frameworks/PubSub.framework/Versions/A/Resources/PubSubAgent.app/Contents/MacOS/PubSubAgent
processPubSubAgent
  • The crash is triggered via a specially crafted XML document containing a long XML entity name, exploiting xmlParseAttValueComplex in parser.c. Monitor for XML parsing crashes (SIGSEGV / EXC_BAD_ACCESS) in processes linked against libxml2 before 2.7.0.
  • The PoC exploit delivers a malicious XML payload via HTTP on port 80 at path /pwn with Content-Type text/xml, and redirects the browser via feed:// URI scheme. Inspect HTTP responses serving XML with unusually long entity name definitions.
  • The exploit XML payload uses an internal DTD subset with a long entity name to trigger the overflow. Detect XML documents with DTD entity declarations containing excessively long names (e.g., thousands of repeated characters).
  • ·The vulnerability only affects libxml2 versions before 2.7.0. Systems running libxml2 2.7.0 or later are not affected. Verify the installed version before applying detection logic.
  • ·When processing extremely large XML documents with valid entities, the vulnerability protections added for CVE-2008-3529 could be incorrectly triggered (false positive), causing legitimate XML processing to fail. Tune entity-length detection thresholds accordingly.
  • ·On macOS, exploitation targets the PubSubAgent process via the feed:// URI scheme in Safari RSS. Detection should be scoped to this process and URI scheme on macOS; on Windows, the attack surface is any application linking libxml2.dll.

CVSS provenance

nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
osv10.0CRITICAL
vendor_debian10.0CRITICAL
vendor_redhat10.0CRITICAL
vendor_ubuntu10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.