First published: Tue May 03 2022(Updated: )
In libxml2 before 2.9.14, several buffer handling functions in buf.c (xmlBuf*) and tree.c (xmlBuffer*) don't check for integer overflows. This can result in out-of-bounds memory writes. Exploitation requires a victim to open a crafted, multi-gigabyte XML file. Other software using libxml2's buffer functions, for example libxslt through 1.1.35, is affected as well.
Credit: cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
redhat/libxml2 | <0:2.9.7-13.el8_6.1 | 0:2.9.7-13.el8_6.1 |
redhat/libxml2 | <0:2.9.13-1.el9_0.1 | 0:2.9.13-1.el9_0.1 |
debian/libxml2 | <=2.9.10+dfsg-6.7<=2.9.10+dfsg-6.7+deb11u1<=2.9.4+dfsg1-7+deb10u3<=2.9.13+dfsg-1<=2.9.4+dfsg1-7 | 2.9.14+dfsg-1 2.9.10+dfsg-6.7+deb11u2 2.9.4+dfsg1-7+deb10u4 |
debian/libxml2 | 2.9.4+dfsg1-7+deb10u4 2.9.4+dfsg1-7+deb10u6 2.9.10+dfsg-6.7+deb11u4 2.9.14+dfsg-1.3~deb12u1 2.9.14+dfsg-1.3 | |
redhat/libxml2 | <2.9.14 | 2.9.14 |
Xmlsoft Libxml2 | <2.9.14 | |
Xmlsoft Libxslt | <=1.1.35 | |
Fedoraproject Fedora | =34 | |
Fedoraproject Fedora | =35 | |
Fedoraproject Fedora | =36 | |
Debian Debian Linux | =9.0 | |
Debian Debian Linux | =10.0 | |
Debian Debian Linux | =11.0 | |
Netapp Active Iq Unified Manager Vsphere | ||
NetApp Clustered Data ONTAP | ||
Netapp Clustered Data Ontap Antivirus Connector | ||
Netapp Manageability Software Development Kit | ||
NetApp ONTAP Select Deploy administration utility | ||
Netapp Smi-s Provider | ||
Netapp Snapdrive Unix | ||
Netapp Snapmanager Hyper-v | ||
Netapp Solidfire \& Hci Management Node | ||
Oracle ZFS Storage Appliance Kit | =8.8 | |
Netapp H300s Firmware | ||
Netapp H300s | ||
Netapp H500s Firmware | ||
Netapp H500s | ||
Netapp H700s Firmware | ||
Netapp H700s | ||
Netapp H410s Firmware | ||
Netapp H410s | ||
Netapp H410c Firmware | ||
Netapp H410c |
Avoid passing large inputs to the libxml2 library.
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
(Appears in the following advisories)
CVE-2022-29824 is a vulnerability in the libxml2 library that can result in out-of-bounds memory writes.
CVE-2022-29824 has a severity rating of 7.4, indicating a high severity.
The libxml2 library versions before 2.9.14 are affected by CVE-2022-29824.
To fix CVE-2022-29824, update to libxml2 version 2.9.14 or later.
More information about CVE-2022-29824 can be found in the references provided: [reference 1], [reference 2], [reference 3].