CVE-2017-15412

HIGH

Redhat Enterprise Linux Desktop < 63.0.3239.84 - Use After Free

Title source: rule

Description

Use after free in libxml2 before 2.9.5, as used in Google Chrome prior to 63.0.3239.84 and other products, allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Exploits (2)

github WORKING POC 1 stars

by vaishakhcv · perlpoc

https://github.com/vaishakhcv/CVE-exploits/tree/master/CVE-2017-15412

View Code ZIP pw:eip

github WORKING POC

by winterwolf32 · perlpoc

https://github.com/winterwolf32/CVE_Exploits-/tree/master/CVE-2017-15412

View Code ZIP pw:eip

References (9)

[Issue Tracking] https://crbug.com/727039

[Third Party Advisory, VDB Entry] http://www.securitytracker.com/id/1040348

[Vendor Advisory] https://access.redhat.com/errata/RHSA-2017:3401

[Vendor Advisory] https://access.redhat.com/errata/RHSA-2018:0287

[Release Notes, Vendor Advisory] https://chromereleases.googleblog.com/2017/12/stable-channel-update-for-desktop.html

[Mailing List] https://lists.debian.org/debian-lts-announce/2017/12/msg00014.html

[Third Party Advisory] https://www.debian.org/security/2018/dsa-4086

[Third Party Advisory] https://security.gentoo.org/glsa/201801-03

[Issue Tracking] https://bugzilla.gnome.org/show_bug.cgi?id=783160

Scores

CVSS v3 8.8

EPSS 0.0199

EPSS Percentile 83.4%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Classification

CWE

CWE-416

Status published

Affected Products (9)

redhat/enterprise_linux_desktop

redhat/enterprise_linux_server

redhat/enterprise_linux_workstation

debian/debian_linux

google/chrome < 63.0.3239.84

xmlsoft/libxml2 < 2.9.5

rubygems/nokogiri < 1.8.2RubyGems

Timeline

Published Aug 28, 2018

Tracked Since Feb 18, 2026