CVE-2009-2416

MEDIUM

libxml2/libxml <2.7 - Use After Free

Title source: llm

Description

Multiple use-after-free vulnerabilities in libxml2 2.5.10, 2.6.16, 2.6.26, 2.6.27, and 2.6.32, and libxml 1.8.17, allow context-dependent attackers to cause a denial of service (application crash) via crafted (1) Notation or (2) Enumeration attribute types in an XML file, as demonstrated by the Codenomicon XML fuzzing framework.

References (36)

[Release Notes] http://googlechromereleases.blogspot.com/2009/08/stable-update-security-fixes.html

[Mailing List] http://lists.apple.com/archives/security-announce/2009/Nov/msg00000.html

[Mailing List] http://lists.apple.com/archives/security-announce/2009/Nov/msg00001.html

[Mailing List] http://lists.apple.com/archives/security-announce/2010/Jun/msg00003.html

[Mailing List] http://lists.opensuse.org/opensuse-security-announce/2009-09/msg00001.html

[Broken Link] http://secunia.com/advisories/35036

[Broken Link] http://secunia.com/advisories/36207

[Broken Link] http://secunia.com/advisories/36338

[Broken Link] http://secunia.com/advisories/36417

[Broken Link] http://secunia.com/advisories/36631

[Broken Link] http://secunia.com/advisories/37346

[Broken Link] http://secunia.com/advisories/37471

[Third Party Advisory] http://support.apple.com/kb/HT3937

[Third Party Advisory] http://support.apple.com/kb/HT3949

[Third Party Advisory] http://support.apple.com/kb/HT4225

[Broken Link] http://www.cert.fi/en/reports/2009/vulnerability2009085.html

[Broken Link] http://www.codenomicon.com/labs/xml/

[Mailing List, Patch] http://www.debian.org/security/2009/dsa-1859

[Patch] http://www.mail-archive.com/debian-bugs-dist%40lists.debian.org/msg678527.html

[Broken Link] http://www.networkworld.com/columnists/2009/080509-xml-flaw.html

... and 16 more

Scores

CVSS v3 6.5

EPSS 0.0019

EPSS Percentile 41.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Classification

CWE

CWE-416

Status draft

Affected Products (33)

xmlsoft/libxml

xmlsoft/libxml2

xmlsoft/libxml2

xmlsoft/libxml2

xmlsoft/libxml2

xmlsoft/libxml2

fedoraproject/fedora

fedoraproject/fedora

debian/debian_linux

redhat/enterprise_linux

redhat/enterprise_linux

redhat/enterprise_linux

canonical/ubuntu_linux

canonical/ubuntu_linux

canonical/ubuntu_linux

... and 18 more

Timeline

Published Aug 11, 2009

Tracked Since Feb 18, 2026