CVE-2009-2416

moderate-risk

Published 2009-08-11

Multiple use-after-free vulnerabilities in libxml2 2.5.10, 2.6.16, 2.6.26, 2.6.27, and 2.6.32, and libxml 1.8.17, allow context-dependent attackers to cause a denial of service (application crash) via crafted (1) Notation or (2) Enumeration attribute types in an XML file, as demonstrated by the Codenomicon XML fuzzing framework.

Do I need to act?

0.19% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 6.5/10 Medium

NETWORK / LOW complexity

Affected Products (20)

Libxml

Libxml2

Fedora

Debian Linux

Enterprise Linux

Ubuntu Linux

Chrome

Safari

Iphone Os

Mac Os X

Mac Os X Server

Linux Enterprise

Linux Enterprise Server

Esxi

Affected Vendors

Fedoraproject Sun Redhat Suse Xmlsoft Vmware Apple Google Canonical Opensuse Debian

References (72)

Release Notes http://googlechromereleases.blogspot.com/2009/08/stable-update-security-fixes.ht...

Mailing List http://lists.apple.com/archives/security-announce/2009/Nov/msg00000.html

Mailing List http://lists.apple.com/archives/security-announce/2009/Nov/msg00001.html

Mailing List http://lists.apple.com/archives/security-announce/2010/Jun/msg00003.html

Mailing List http://lists.opensuse.org/opensuse-security-announce/2009-09/msg00001.html

Broken Link http://secunia.com/advisories/35036

Broken Link http://secunia.com/advisories/36207

Broken Link http://secunia.com/advisories/36338

Broken Link http://secunia.com/advisories/36417

Broken Link http://secunia.com/advisories/36631

Broken Link http://secunia.com/advisories/37346

Broken Link http://secunia.com/advisories/37471

Third Party Advisory http://support.apple.com/kb/HT3937

Third Party Advisory http://support.apple.com/kb/HT3949

Third Party Advisory http://support.apple.com/kb/HT4225

Broken Link http://www.cert.fi/en/reports/2009/vulnerability2009085.html

Broken Link http://www.codenomicon.com/labs/xml/

Mailing List http://www.debian.org/security/2009/dsa-1859

Patch http://www.mail-archive.com/debian-bugs-dist%40lists.debian.org/msg678527.html

Broken Link http://www.networkworld.com/columnists/2009/080509-xml-flaw.html

and 52 more references

/ 100

moderate-risk

Severity 24/34 · High

Exploitability 1/34 · Minimal

Exposure 23/34 · High