CVE-2016-4658: Buffer Overflow
First published: Sun Sep 25 2016(Updated: )
The libxml2 library, as used in multiple products, could allow a remote attacker to execute arbitrary code on the system, caused by a memory corruption error. An attacker could exploit this vulnerability using a specially crafted XML document to execute arbitrary code on the system or cause a denial of service.
Credit: product-security@apple.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Google Android | ||
| Apple iPhone OS | <10.0 | |
| Apple Mac OS X | <10.12 | |
| Apple tvOS | <10.0 | |
| Apple watchOS | <3.0 | |
| Xmlsoft Libxml2 | <2.9.5 | |
| <=10.5 | ||
| <=10.6 | ||
| <=11.0 | ||
| <=11.1 | ||
| <=11.2 | ||
| <=11.3 | ||
| <=11.4 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://android.googlesource.com/platform/external/libxml2/+/8ea80f29ea5fdf383ee3ae59ce35e55421a339f8
- https://source.android.com/docs/security/bulletin/2017-06-01 (Advisory)
- https://exchange.xforce.ibmcloud.com/vulnerabilities/117175
- https://www.ibm.com/support/pages/node/6831647 (Advisory)
- http://lists.apple.com/archives/security-announce/2016/Sep/msg00006.html
- http://lists.apple.com/archives/security-announce/2016/Sep/msg00008.html
- http://lists.apple.com/archives/security-announce/2016/Sep/msg00010.html
- http://lists.apple.com/archives/security-announce/2016/Sep/msg00011.html
- http://www.securityfocus.com/bid/93054
- http://www.securitytracker.com/id/1036858
- http://www.securitytracker.com/id/1038623
- https://git.gnome.org/browse/libxml2/commit/?id=c1d1f7121194036608bf555f08d3062a36fd344b
- https://security.gentoo.org/glsa/201701-37
- https://support.apple.com/HT207141
- https://support.apple.com/HT207142
- https://support.apple.com/HT207143
- https://support.apple.com/HT207170
Frequently Asked Questions
What is CVE-2016-4658?
CVE-2016-4658 is a vulnerability in the libxml2 library that allows a remote attacker to execute arbitrary code or cause a denial of service.
Which products are affected by CVE-2016-4658?
CVE-2016-4658 affects Google Android, Apple iPhone OS (up to version 10.0), Apple Mac OS X (up to version 10.12), Apple tvOS (up to version 10.0), Apple watchOS (up to version 3.0), Xmlsoft Libxml2 (up to version 2.9.5), and IBM Security Guardium (up to version 11.4).
What is the severity of CVE-2016-4658?
CVE-2016-4658 has a severity rating of 9.8 (Critical).
How can CVE-2016-4658 be fixed?
To fix CVE-2016-4658, users should update to a version of the affected software that includes the necessary patches or security updates.
Where can I find more information about CVE-2016-4658?
You can find more information about CVE-2016-4658 on the IBM X-Force Exchange website and the IBM Support website, as well as on the official Android source code repository.
- agent/weakness
- agent/type
- collector/nvd-index
- agent/software-canonical-lookup-request
- agent/remedy
- agent/severity
- agent/references
- agent/author
- agent/description
- collector/ibm-support
- source/IBM
- agent/software-canonical-lookup
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/tags
- agent/first-publish-date
- agent/event
- collector/android-source
- source/Android
- agent/last-modified-date
- agent/trending
- vendor/apple
- canonical/apple iphone os
- canonical/apple mac os x
- canonical/apple tvos
- canonical/apple watchos
- vendor/xmlsoft
- canonical/xmlsoft libxml2
- vendor/ibm
- canonical/ibm security guardium
- version/ibm security guardium/10.5
- version/ibm security guardium/10.6
- version/ibm security guardium/11.0
- version/ibm security guardium/11.1
- version/ibm security guardium/11.2
- version/ibm security guardium/11.3
- version/ibm security guardium/11.4
- vendor/google
- canonical/google android