CVE-2023-29469

EPSS 0.06%
Published 24.04.2023 21:15:09
Last modified 04.02.2025 21:15:23
Source cve@mitre.org
Teams watchlist Login
Open Login

An issue was discovered in libxml2 before 2.10.4. When hashing empty dict strings in a crafted XML document, xmlDictComputeFastKey in dict.c can produce non-deterministic values, leading to various logic and memory errors, such as a double free. This behavior occurs because there is an attempt to use the first byte of an empty string, and any value is possible (not solely the '\0' value).

Affected products Warnungen 0 Metrics 3 CWE 1 References 7

Data is provided by the National Vulnerability Database (NVD)

Xmlsoft ≫ Libxml2 Version < 2.10.4

Debian ≫ Debian Linux Version10.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.06%	0.175

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	6.5	2.8	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
134c704f-9b21-4f2e-91b3-4a467353bcc0	6.5	2.8	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

CWE-415 Double Free

The product calls free() twice on the same memory address, potentially leading to modification of unexpected memory locations.

https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.10.4

Release Notes

https://lists.debian.org/debian-lts-announce/2023/04/msg00031.html

Third Party Advisory

Mailing List

https://security.netapp.com/advisory/ntap-20230601-0006/

https://gitlab.gnome.org/GNOME/libxml2/-/issues/510

Vendor Advisory

Issue Tracking

https://nvd.nist.gov/vuln/detail/CVE-2023-29469

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-29469

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-29469

EUVD