cbcvebase.
CVE-2022-40304
published 2022-11-23

CVE-2022-40304: An issue was discovered in libxml2 before 2.10.3. Certain invalid XML entity definitions can corrupt a hash table key, potentially leading to subsequent logic…

PriorityP278high7.8CVSS 3.1
AVLACLPRNUIRSUCHIHAH
ITWVulnCheck KEV
Exploited in the wild
EPSS
6.78%
93.2th percentile
An issue was discovered in libxml2 before 2.10.3. Certain invalid XML entity definitions can corrupt a hash table key, potentially leading to subsequent logic errors. In one case, a double-free can be provoked.

Affected

27 ranges· showing 25
VendorProductVersion rangeFixed in
appleios_15.7.2_and_ipados
appleios_16.1.1_and_ipados
appleipados< 15.7.215.7.2
appleiphone_os< 15.7.215.7.2
applemacos>= 11.0 < 11.7.211.7.2
applemacos>= 12.0 < 12.6.212.6.2
applemacos_big_sur
applemacos_monterey
applemacos_ventura
appletvos< 16.216.2
appletvos16.2
applewatchos< 9.29.2
applewatchos
debianlibxml2< libxml2 2.9.14+dfsg-1.1 (bookworm)libxml2 2.9.14+dfsg-1.1 (bookworm)
msrccbl2_libxml2_2.10.3-1_on_cbl_mariner_2.0
msrccm1_libxml2_2.9.14-3_on_cbl_mariner_1.0
nokogirinokogiri>= 0 < 1.13.91.13.9
xmlsoftlibxml2< 2.10.32.10.3
xmlsoftlibxml2>= 0 < 2.9.10+dfsg-6.7+deb11u32.9.10+dfsg-6.7+deb11u3
xmlsoftlibxml2>= 0 < 2.9.14+dfsg-1.12.9.14+dfsg-1.1
xmlsoftlibxml2>= 0 < 2.9.14+dfsg-1.12.9.14+dfsg-1.1
xmlsoftlibxml2>= 0 < 2.9.14+dfsg-1.12.9.14+dfsg-1.1
xmlsoftlibxml2>= 0 < 2.9.4+dfsg1-6.1ubuntu1.82.9.4+dfsg1-6.1ubuntu1.8
xmlsoftlibxml2>= 0 < 2.9.10+dfsg-5ubuntu0.20.04.52.9.10+dfsg-5ubuntu0.20.04.5
xmlsoftlibxml2>= 0 < 2.9.13+dfsg-1ubuntu0.22.9.13+dfsg-1ubuntu0.2

Detection & IOCsextracted from sources · hover to see the quote

  • CVE-2022-40304 involves invalid XML entity definitions that corrupt a hash table key in libxml2, potentially leading to a double-free condition; monitor for malformed XML entity definitions being parsed by libxml2 versions before 2.10.3
  • Apple reported active exploitation of this issue against iOS versions released before iOS 15.7.1; prioritize detection and patching on Apple platforms
  • ·CVE-2022-40304 is a local (non-remote) vulnerability per Oracle advisories; remote exploit is listed as No, limiting attack surface to local or file-based vectors
  • ·The vulnerability affects libxml2 before version 2.10.3; patched via Apple out-of-band updates for iOS and macOS

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
ghsa7.5HIGH
osv7.8HIGH
vulncheck7.8HIGH
vendor_debian7.8HIGH
vendor_msrc7.8HIGH
vendor_oracle7.8HIGH
vendor_redhat7.8HIGH
vendor_ubuntu7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.