Vulnerability Description
libxml2 through 2.11.5 has a use-after-free that can only occur after a certain memory allocation fails. This occurs in xmlUnlinkNode in tree.c. NOTE: the vendor's position is "I don't think these issues are critical enough to warrant a CVE ID ... because an attacker typically can't control when memory allocations fail."
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Xmlsoft | Libxml2 | <= 2.11.5 |
Related Weaknesses (CWE)
References
- http://www.openwall.com/lists/oss-security/2023/10/06/5Mailing ListPatchThird Party Advisory
- https://gitlab.gnome.org/GNOME/libxml2/-/issues/344Issue TrackingPatchVendor Advisory
- https://gitlab.gnome.org/GNOME/libxml2/-/issues/583Issue TrackingPatchVendor Advisory
- http://www.openwall.com/lists/oss-security/2023/10/06/5Mailing ListPatchThird Party Advisory
- https://gitlab.gnome.org/GNOME/libxml2/-/issues/344Issue TrackingPatchVendor Advisory
- https://gitlab.gnome.org/GNOME/libxml2/-/issues/583Issue TrackingPatchVendor Advisory
- https://lists.debian.org/debian-lts-announce/2025/02/msg00028.html
FAQ
What is CVE-2023-45322?
CVE-2023-45322 is a vulnerability with a CVSS score of 6.5 (MEDIUM). libxml2 through 2.11.5 has a use-after-free that can only occur after a certain memory allocation fails. This occurs in xmlUnlinkNode in tree.c. NOTE: the vendor's position is "I don't think these iss...
How severe is CVE-2023-45322?
CVE-2023-45322 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-45322?
Check the references section above for vendor advisories and patch information. Affected products include: Xmlsoft Libxml2.