CVE-2022-49043
published 2025-01-26CVE-2022-49043: xmlXIncludeAddNode in xinclude.c in libxml2 before 2.11.0 has a use-after-free.
PriorityP340high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
EPSS
0.26%
17.0th percentile
xmlXIncludeAddNode in xinclude.c in libxml2 before 2.11.0 has a use-after-free.
Affected
18 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | libxml2 | < libxml2 2.9.14+dfsg-1.3~deb12u2 (bookworm) | libxml2 2.9.14+dfsg-1.3~deb12u2 (bookworm) |
| msrc | cbl2_libxml2_2.10.4-5_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_libxml2_2.10.4-6_on_cbl_mariner_2.0 | — | — |
| xmlsoft | libxml2 | < 2.11.0 | 2.11.0 |
| xmlsoft | libxml2 | >= 0 < 2.9.10+dfsg-6.7+deb11u6 | 2.9.10+dfsg-6.7+deb11u6 |
| xmlsoft | libxml2 | >= 0 < 2.9.14+dfsg-1.3~deb12u2 | 2.9.14+dfsg-1.3~deb12u2 |
| xmlsoft | libxml2 | >= 0 < 2.12.7+dfsg+really2.9.14-0.4 | 2.12.7+dfsg+really2.9.14-0.4 |
| xmlsoft | libxml2 | >= 0 < 2.12.7+dfsg+really2.9.14-0.4 | 2.12.7+dfsg+really2.9.14-0.4 |
| xmlsoft | libxml2 | >= 0 < 2.9.10+dfsg-5ubuntu0.20.04.9 | 2.9.10+dfsg-5ubuntu0.20.04.9 |
| xmlsoft | libxml2 | >= 0 < 2.9.10+dfsg-5ubuntu0.20.04.8 | 2.9.10+dfsg-5ubuntu0.20.04.8 |
| xmlsoft | libxml2 | >= 0 < 2.9.13+dfsg-1ubuntu0.6 | 2.9.13+dfsg-1ubuntu0.6 |
| xmlsoft | libxml2 | >= 0 < 2.9.13+dfsg-1ubuntu0.5 | 2.9.13+dfsg-1ubuntu0.5 |
| xmlsoft | libxml2 | >= 0 < 2.9.14+dfsg-1.3ubuntu3.2 | 2.9.14+dfsg-1.3ubuntu3.2 |
| xmlsoft | libxml2 | >= 0 < 2.9.14+dfsg-1.3ubuntu3.1 | 2.9.14+dfsg-1.3ubuntu3.1 |
| xmlsoft | libxml2 | >= 0 < 2.9.1+dfsg1-3ubuntu4.13+esm7 | 2.9.1+dfsg1-3ubuntu4.13+esm7 |
| xmlsoft | libxml2 | >= 0 < 2.9.3+dfsg1-1ubuntu0.7+esm7 | 2.9.3+dfsg1-1ubuntu0.7+esm7 |
| xmlsoft | libxml2 | >= 0 < 2.9.4+dfsg1-6.1ubuntu1.9+esm2 | 2.9.4+dfsg1-6.1ubuntu1.9+esm2 |
| xmlsoft | libxml2 | >= 2.0.0 < 2.11.0 | 2.11.0 |
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
osv7.8HIGH
vendor_debian8.1HIGH
vendor_msrc8.1HIGH
vendor_redhat8.1HIGH
vendor_ubuntu8.1HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
libxml2 vulnerabilities
osv·2025-02-25·CVSS 7.8
CVE-2022-49043 [HIGH] libxml2 vulnerabilities
libxml2 vulnerabilities
It was discovered that libxml2 incorrectly handled certain memory
operations. A remote attacker could use this issue to cause libxml2 to
crash, resulting in a denial of service, or possibly execute arbitrary
code. This issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS, and
Ubuntu 18.04 LTS. (CVE-2022-49043)
It was discovered that the libxml2 xmllint tool incorrectly handled
certain memory operations. If a user or automated system were tricked into
running xmllint on a specially crafted xml file, a remote attacker could
cause xmllint to crash, resulting in a denial of service. This issue only
affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS, and Ubuntu 18.04 LTS.
(CVE-2024-34459)
It was discovered that libxml2 did not properly manage memory. An attacker
could poss
OSV
libxml2 vulnerabilities
osv·2025-01-29·CVSS 7.8
CVE-2022-49043 [HIGH] libxml2 vulnerabilities
libxml2 vulnerabilities
It was discovered that libxml2 incorrectly handled certain memory
operations. A remote attacker could use this issue to cause libxml2 to
crash, resulting in a denial of service, or possibly execute arbitrary
code. (CVE-2022-49043)
It was discovered that the libxml2 xmllint tool incorrectly handled
certain memory operations. If a user or automated system were tricked into
running xmllint on a specially crafted xml file, a remote attacker could
cause xmllint to crash, resulting in a denial of service. (CVE-2024-34459)
OSV
CVE-2022-49043: xmlXIncludeAddNode in xinclude
osv·2025-01-26·CVSS 7.8
CVE-2022-49043 [HIGH] CVE-2022-49043: xmlXIncludeAddNode in xinclude
xmlXIncludeAddNode in xinclude.c in libxml2 before 2.11.0 has a use-after-free.
GHSA
GHSA-84p5-cqqq-h4gr: xmlXIncludeAddNode in xinclude
ghsa_unreviewed·2025-01-26
CVE-2022-49043 [HIGH] CWE-416 GHSA-84p5-cqqq-h4gr: xmlXIncludeAddNode in xinclude
xmlXIncludeAddNode in xinclude.c in libxml2 before 2.11.0 has a use-after-free.
Ubuntu
libxml2 vulnerabilities
vendor_ubuntu·2025-02-25·CVSS 8.1
CVE-2022-49043 [HIGH] libxml2 vulnerabilities
Title: libxml2 vulnerabilities
Summary: Several security issues were fixed in libxml2.
It was discovered that libxml2 incorrectly handled certain memory
operations. A remote attacker could use this issue to cause libxml2 to
crash, resulting in a denial of service, or possibly execute arbitrary
code. This issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS, and
Ubuntu 18.04 LTS. (CVE-2022-49043)
It was discovered that the libxml2 xmllint tool incorrectly handled
certain memory operations. If a user or automated system were tricked into
running xmllint on a specially crafted xml file, a remote attacker could
cause xmllint to crash, resulting in a denial of service. This issue only
affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS, and Ubuntu 18.04 LTS.
(CVE-2024-34459)
It was discovered tha
Ubuntu
libxml2 vulnerabilities
vendor_ubuntu·2025-01-29·CVSS 8.1
CVE-2024-34459 [HIGH] libxml2 vulnerabilities
Title: libxml2 vulnerabilities
Summary: Several security issues were fixed in libxml2.
It was discovered that libxml2 incorrectly handled certain memory
operations. A remote attacker could use this issue to cause libxml2 to
crash, resulting in a denial of service, or possibly execute arbitrary
code. (CVE-2022-49043)
It was discovered that the libxml2 xmllint tool incorrectly handled
certain memory operations. If a user or automated system were tricked into
running xmllint on a specially crafted xml file, a remote attacker could
cause xmllint to crash, resulting in a denial of service. (CVE-2024-34459)
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
libxml: use-after-free in xmlXIncludeAddNode
vendor_redhat·2025-01-26·CVSS 8.1
CVE-2022-49043 [HIGH] CWE-416 libxml: use-after-free in xmlXIncludeAddNode
libxml: use-after-free in xmlXIncludeAddNode
xmlXIncludeAddNode in xinclude.c in libxml2 before 2.11.0 has a use-after-free.
A flaw was found in libxml2 where improper handling of memory allocation failures in `libxml2` can lead to crashes, memory leaks, or inconsistent states. While an attacker cannot directly control allocation failures, they may trigger denial-of-service conditions under extreme system stress.
Statement: This vulnerability marked as moderate instead of important because memory allocation failures are not typically controllable by an attacker, limiting their exploitability. While improper handling of malloc failures can lead to crashes, memory leaks, or inconsistent states, it does not directly result in privilege escalation or arbitrary code execution.
Additionally,
Microsoft
xmlXIncludeAddNode in xinclude.c in libxml2 before 2.11.0 has a use-after-free.
vendor_msrc·2025-01-14·CVSS 8.1
CVE-2022-49043 [HIGH] CWE-416 xmlXIncludeAddNode in xinclude.c in libxml2 before 2.11.0 has a use-after-free.
xmlXIncludeAddNode in xinclude.c in libxml2 before 2.11.0 has a use-after-free.
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
mitre: mitre
Customer Action Required: Yes
Remediation: CBL-Mariner Releases
Debian
CVE-2022-49043: libxml2 - xmlXIncludeAddNode in xinclude.c in libxml2 before 2.11.0 has a use-after-free.
vendor_debian·2022·CVSS 8.1
CVE-2022-49043 [HIGH] CVE-2022-49043: libxml2 - xmlXIncludeAddNode in xinclude.c in libxml2 before 2.11.0 has a use-after-free.
xmlXIncludeAddNode in xinclude.c in libxml2 before 2.11.0 has a use-after-free.
Scope: local
bookworm: resolved (fixed in 2.9.14+dfsg-1.3~deb12u2)
bullseye: resolved (fixed in 2.9.10+dfsg-6.7+deb11u6)
forky: resolved (fixed in 2.12.7+dfsg+really2.9.14-0.4)
sid: resolved (fixed in 2.12.7+dfsg+really2.9.14-0.4)
trixie: resolved (fixed in 2.12.7+dfsg+really2.9.14-0.4)
No detection rules found.
No public exploits indexed.
2025-01-26
Published