CVE-2022-23308 — Use After Free in Libxml2

CWE-416 — Use After Free19 documents12 sources

Severity

7.5HIGHNVD

GHSA8.8

EPSS

0.1%

top 84.55%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Xmlsoft Libxml2 Apple Ipados Apple Iphone OS +13 more

Timeline

PublishedFeb 26

Latest updateJul 15

Description

valid.c in libxml2 before 2.9.13 has a use-after-free of ID and IDREF attributes.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages16 packages

▶NVDxmlsoft/libxml2< 2.9.13

▶Debianxmlsoft/libxml2< 2.9.10+dfsg-6.7+deb11u1+3

▶Ubuntuxmlsoft/libxml2< 2.9.4+dfsg1-6.1ubuntu1.6+4

▶NVDapple/tvos< 15.5

▶NVDapple/macos11.6.0 — 11.6.6+1

Also affects: Debian Linux 9.0, Fedora 34

Patches

Patch: github.com ↗Patch: www.oracle.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

libxml2 vulnerabilities↗2022-05-16

▶

GHSA

GHSA-8v47-xfh7-92fh: valid↗2022-02-27

▶

OSV

CVE-2022-23308: valid↗2022-02-26

▶

CVEList

CVE-2022-23308: valid↗2022-02-26

▶

GHSA

Vulnerable dependencies in Nokogiri↗2022-02-25

▶

📋Vendor Advisories

Oracle

Oracle Oracle Communications Risk Matrix: BSF (libxml2) — CVE-2022-23308↗2022-07-15

▶

Chrome

Long Term Support Channel Update for ChromeOS: CVE-2022-1859↗2022-05-31

▶

Apple

CVE-2022-23308: tvOS 15.5↗2022-05-16

▶

Apple

CVE-2022-23308: Security Update 2022-004 Catalina↗2022-05-16

▶

Apple

CVE-2022-23308: iOS 15.5 and iPadOS 15.5↗2022-05-16

▶