CVE-2024-56171

HIGH

Xmlsoft Libxml2 < 2.12.10 - Use After Free

Title source: rule

Description

libxml2 before 2.12.10 and 2.13.x before 2.13.6 has a use-after-free in xmlSchemaIDCFillNodeTables and xmlSchemaBubbleIDCNodeTables in xmlschemas.c. To exploit this, a crafted XML document must be validated against an XML schema with certain identity constraints, or a crafted XML schema must be used.

References (11)

[Issue Tracking] https://gitlab.gnome.org/GNOME/libxml2/-/issues/828

[Mailing List] http://seclists.org/fulldisclosure/2025/Apr/10

[Mailing List] http://seclists.org/fulldisclosure/2025/Apr/11

[Mailing List] http://seclists.org/fulldisclosure/2025/Apr/12

[Mailing List] http://seclists.org/fulldisclosure/2025/Apr/13

[Mailing List] http://seclists.org/fulldisclosure/2025/Apr/4

[Mailing List] http://seclists.org/fulldisclosure/2025/Apr/5

[Mailing List] http://seclists.org/fulldisclosure/2025/Apr/8

[Mailing List] http://seclists.org/fulldisclosure/2025/Apr/9

[Mailing List] https://lists.debian.org/debian-lts-announce/2025/02/msg00028.html

[Third Party Advisory] https://security.netapp.com/advisory/ntap-20250328-0010/

Scores

CVSS v3 7.8

EPSS 0.0008

EPSS Percentile 24.1%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N

Classification

CWE

CWE-416

Status published

Affected Products (11)

xmlsoft/libxml2 < 2.12.10

netapp/hci_compute_node

netapp/h410c_firmware

netapp/h300s_firmware

netapp/h500s_firmware

netapp/h700s_firmware

netapp/h410s_firmware

netapp/active_iq_unified_manager

netapp/manageability_software_development_kit

netapp/ontap

netapp/solidfire_\&_hci_management_node

Timeline

Published Feb 18, 2025

Tracked Since Feb 18, 2026