cbcvebase.
CVE-2022-49043
published 2025-01-26

CVE-2022-49043: xmlXIncludeAddNode in xinclude.c in libxml2 before 2.11.0 has a use-after-free.

PriorityP340high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
EPSS
0.26%
17.0th percentile
xmlXIncludeAddNode in xinclude.c in libxml2 before 2.11.0 has a use-after-free.

Affected

18 ranges
VendorProductVersion rangeFixed in
debianlibxml2< libxml2 2.9.14+dfsg-1.3~deb12u2 (bookworm)libxml2 2.9.14+dfsg-1.3~deb12u2 (bookworm)
msrccbl2_libxml2_2.10.4-5_on_cbl_mariner_2.0
msrccbl2_libxml2_2.10.4-6_on_cbl_mariner_2.0
xmlsoftlibxml2< 2.11.02.11.0
xmlsoftlibxml2>= 0 < 2.9.10+dfsg-6.7+deb11u62.9.10+dfsg-6.7+deb11u6
xmlsoftlibxml2>= 0 < 2.9.14+dfsg-1.3~deb12u22.9.14+dfsg-1.3~deb12u2
xmlsoftlibxml2>= 0 < 2.12.7+dfsg+really2.9.14-0.42.12.7+dfsg+really2.9.14-0.4
xmlsoftlibxml2>= 0 < 2.12.7+dfsg+really2.9.14-0.42.12.7+dfsg+really2.9.14-0.4
xmlsoftlibxml2>= 0 < 2.9.10+dfsg-5ubuntu0.20.04.92.9.10+dfsg-5ubuntu0.20.04.9
xmlsoftlibxml2>= 0 < 2.9.10+dfsg-5ubuntu0.20.04.82.9.10+dfsg-5ubuntu0.20.04.8
xmlsoftlibxml2>= 0 < 2.9.13+dfsg-1ubuntu0.62.9.13+dfsg-1ubuntu0.6
xmlsoftlibxml2>= 0 < 2.9.13+dfsg-1ubuntu0.52.9.13+dfsg-1ubuntu0.5
xmlsoftlibxml2>= 0 < 2.9.14+dfsg-1.3ubuntu3.22.9.14+dfsg-1.3ubuntu3.2
xmlsoftlibxml2>= 0 < 2.9.14+dfsg-1.3ubuntu3.12.9.14+dfsg-1.3ubuntu3.1
xmlsoftlibxml2>= 0 < 2.9.1+dfsg1-3ubuntu4.13+esm72.9.1+dfsg1-3ubuntu4.13+esm7
xmlsoftlibxml2>= 0 < 2.9.3+dfsg1-1ubuntu0.7+esm72.9.3+dfsg1-1ubuntu0.7+esm7
xmlsoftlibxml2>= 0 < 2.9.4+dfsg1-6.1ubuntu1.9+esm22.9.4+dfsg1-6.1ubuntu1.9+esm2
xmlsoftlibxml2>= 2.0.0 < 2.11.02.11.0

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
osv7.8HIGH
vendor_debian8.1HIGH
vendor_msrc8.1HIGH
vendor_redhat8.1HIGH
vendor_ubuntu8.1HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.