First published: Tue May 03 2022(Updated: )
In libxml2 before 2.9.14, several buffer handling functions in buf.c (xmlBuf*) and tree.c (xmlBuffer*) don't check for integer overflows. This can result in out-of-bounds memory writes. Exploitation requires a victim to open a crafted, multi-gigabyte XML file. Other software using libxml2's buffer functions, for example libxslt through 1.1.35, is affected as well.
Credit: cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
redhat/libxml2 | <0:2.9.7-13.el8_6.1 | 0:2.9.7-13.el8_6.1 |
redhat/libxml2 | <0:2.9.13-1.el9_0.1 | 0:2.9.13-1.el9_0.1 |
debian/libxml2 | <=2.9.10+dfsg-6.7<=2.9.10+dfsg-6.7+deb11u1<=2.9.4+dfsg1-7+deb10u3<=2.9.13+dfsg-1<=2.9.4+dfsg1-7 | 2.9.14+dfsg-1 2.9.10+dfsg-6.7+deb11u2 2.9.4+dfsg1-7+deb10u4 |
debian/libxml2 | 2.9.4+dfsg1-7+deb10u4 2.9.4+dfsg1-7+deb10u6 2.9.10+dfsg-6.7+deb11u4 2.9.14+dfsg-1.3~deb12u1 2.9.14+dfsg-1.3 | |
redhat/libxml2 | <2.9.14 | 2.9.14 |
libxml2-devel | <2.9.14 | |
libxslt | <=1.1.35 | |
Red Hat Fedora | =34 | |
Red Hat Fedora | =35 | |
Red Hat Fedora | =36 | |
Debian Linux | =9.0 | |
Debian Linux | =10.0 | |
Debian Linux | =11.0 | |
NetApp Active IQ Unified Manager | ||
IBM Data ONTAP | ||
NetApp ONTAP Antivirus Connector | ||
NetApp Manageability SDK | ||
NetApp ONTAP Select Deploy | ||
NetApp SMI-S Provider | ||
NetApp SnapDrive for Unix | ||
NetApp SnapManager for Hyper-V | ||
NetApp SolidFire & HCI Management Node | ||
Oracle Storage Cloud Software Appliance | =8.8 | |
NetApp H300S Firmware | ||
NetApp H300S Firmware | ||
NetApp H500e Firmware | ||
NetApp H500e Firmware | ||
NetApp H700S | ||
NetApp H700S | ||
NetApp H410S | ||
NetApp H410S Firmware | ||
NetApp H410C | ||
NetApp H410C Firmware |
Avoid passing large inputs to the libxml2 library.
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
(Appears in the following advisories)
CVE-2022-29824 is a vulnerability in the libxml2 library that can result in out-of-bounds memory writes.
CVE-2022-29824 has a severity rating of 7.4, indicating a high severity.
The libxml2 library versions before 2.9.14 are affected by CVE-2022-29824.
To fix CVE-2022-29824, update to libxml2 version 2.9.14 or later.
More information about CVE-2022-29824 can be found in the references provided: [reference 1], [reference 2], [reference 3].