CVE-2023-39615

MEDIUM

Libxml2 2.11.0 - Denial of Service via xmlSAX2StartElement Out-of-Bounds Read

Title source: llm

Description

Xmlsoft Libxml2 v2.11.0 was discovered to contain an out-of-bounds read via the xmlSAX2StartElement() function at /libxml2/SAX2.c. This vulnerability allows attackers to cause a Denial of Service (DoS) via supplying a crafted XML file. NOTE: the vendor's position is that the product does not support the legacy SAX1 interface with custom callbacks; there is a crash even without crafted input.

References (2)

Core 2

Core References

Exploit, Issue Tracking, Patch

https://gitlab.gnome.org/GNOME/libxml2/-/issues/535

Mailing List

https://lists.debian.org/debian-lts-announce/2025/02/msg00028.html

Scores

CVSS v3 6.5

EPSS 0.0067

EPSS Percentile 47.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-119

Status published

Products (1)

xmlsoft/libxml2 2.11.0

Published Aug 29, 2023

Tracked Since Feb 18, 2026