CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2025-24928 – libxml2: Stack-based buffer overflow in xmlSnprintfElements of libxml2
https://notcve.org/view.php?id=CVE-2025-24928
18 Feb 2025 — libxml2 before 2.12.10 and 2.13.x before 2.13.6 has a stack-based buffer overflow in xmlSnprintfElements in valid.c. To exploit this, DTD validation must occur for an untrusted document or untrusted DTD. NOTE: this is similar to CVE-2017-9047. A flaw was found in libxml2. This vulnerability allows a stack-based buffer overflow via DTD validation of an untrusted document or untrusted DTD. • https://gitlab.gnome.org/GNOME/libxml2/-/issues/847 • CWE-121: Stack-based Buffer Overflow •
CVSS: 8.1EPSS: 0%CPEs: 2EXPL: 0CVE-2024-56171 – libxml2: Use-After-Free in libxml2
https://notcve.org/view.php?id=CVE-2024-56171
18 Feb 2025 — libxml2 before 2.12.10 and 2.13.x before 2.13.6 has a use-after-free in xmlSchemaIDCFillNodeTables and xmlSchemaBubbleIDCNodeTables in xmlschemas.c. To exploit this, a crafted XML document must be validated against an XML schema with certain identity constraints, or a crafted XML schema must be used. A flaw was found in libxml2. This vulnerability allows a use-after-free via a crafted XML document validated against an XML schema with certain identity constraints or a crafted XML schema. It was discovered th... • https://gitlab.gnome.org/GNOME/libxml2/-/issues/828 • CWE-416: Use After Free •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2025-27113 – Ubuntu Security Notice USN-7302-1
https://notcve.org/view.php?id=CVE-2025-27113
18 Feb 2025 — libxml2 before 2.12.10 and 2.13.x before 2.13.6 has a NULL pointer dereference in xmlPatMatch in pattern.c. It was discovered that libxml2 incorrectly handled certain memory operations. A remote attacker could use this issue to cause libxml2 to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS, and Ubuntu 18.04 LTS. It was discovered that the libxml2 xmllint tool incorrectly handled certain memory operations. • https://gitlab.gnome.org/GNOME/libxml2/-/issues/861 • CWE-476: NULL Pointer Dereference •
CVSS: 9.1EPSS: 0%CPEs: 3EXPL: 0CVE-2024-40896 – Ubuntu Security Notice USN-7215-1
https://notcve.org/view.php?id=CVE-2024-40896
23 Dec 2024 — In libxml2 2.11 before 2.11.9, 2.12 before 2.12.9, and 2.13 before 2.13.3, the SAX parser can produce events for external entities even if custom SAX handlers try to override entity content (by setting "checked"). This makes classic XXE attacks possible. En libxml2 2.11 anterior a 2.11.9, 2.12 anterior a 2.12.9 y 2.13 anterior a 2.13.3, el analizador SAX puede producir eventos para entidades externas incluso si los controladores SAX personalizados intentan anular el contenido de la entidad (estableciendo "m... • https://gitlab.gnome.org/GNOME/libxml2/-/commit/1a8932303969907f6572b1b6aac4081c56adb5c6 • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 1CVE-2024-25062 – libxml2: use-after-free in XMLReader
https://notcve.org/view.php?id=CVE-2024-25062
04 Feb 2024 — An issue was discovered in libxml2 before 2.11.7 and 2.12.x before 2.12.5. When using the XML Reader interface with DTD validation and XInclude expansion enabled, processing crafted XML documents can lead to an xmlValidatePopElement use-after-free. Se descubrió un problema en libxml2 anterior a 2.11.7 y 2.12.x anterior a 2.12.5. Cuando se utiliza la interfaz del Lector XML con la validación DTD y la expansión XInclude habilitada, el procesamiento de documentos XML manipulados puede generar un use-after-free... • https://gitlab.gnome.org/GNOME/libxml2/-/issues/604 • CWE-416: Use After Free •