Libxml2,a widely used XML parsing library developed for the GNOME project but also utilized across various platforms, including Linux, Windows, macOS, and Unix-based systems, has been found to contain multiple vulnerabilities. These vulnerabilities, identified as CVE-2024-56171, CVE-2025-24928, and CVE-2025-27113, have been addressed in the latest releases of libxml2.
Vulnerability Details
- CVE-2024-56171 (CVSS 7.8): A use-after-free vulnerability exists in the xmlSchemaIDCFillNodeTables and xmlSchemaBubbleIDCNodeTables functions. This vulnerability can be exploited by processing a specially crafted XML document or schema, potentially leading to arbitrary code execution.
- CVE-2025-24928 (CVSS 7.8): A stack-based buffer overflow vulnerability has been discovered in the xmlSnprintfElements function. This vulnerability can be triggered during DTD validation of untrusted documents or DTDs, potentially leading to denial of service or arbitrary code execution.
- CVE-2025-27113 (CVSS 2.9): A NULL pointer dereference vulnerability exists in the xmlPatMatch function. This vulnerability can be triggered under specific circumstances, such as using the Perl module XML::LibXML::Reader with certain options or using the xmllint tool with specific flags.
Impact
These vulnerabilities affect various versions of libxml2 prior to 2.12.10 and 2.13.6. The impact of successful exploitation ranges from denial of service to potential arbitrary code execution, depending on the vulnerability and the context in which libxml2 is used.
Mitigation
Users of libxml2 are strongly encouraged to update to the latest versions, 2.12.10 or 2.13.6, to address these vulnerabilities. Older branches of libxml2 will not receive updates.
Related Posts:
- CVE-2024-40896 (CVSS 9.1): Critical XXE Vulnerability Discovered in libxml2
- CVE-2022-40303 & CVE-2022-40304: RCE flaws in Apple iOS, macOS
- WordPress Issues Urgent Security Update to Patch Multiple Vulnerabilities
- Severe Unauthenticated RCE Flaw (CVSS 9.9) in GNU/Linux Systems Awaiting Full Disclosure
