CVE-2015-8806

moderate-risk
Published 2016-04-13

dict.c in libxml2 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via an unexpected character immediately after the "<!DOCTYPE html" substring in a crafted HTML document.

Do I need to act?

~
6.1% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
7
CVSS 7.5/10 High
NETWORK / LOW complexity

Affected Products (6)

Affected Vendors

Canonical Xmlsoft Debian

References (14)

Mailing List http://www.openwall.com/lists/oss-security/2016/02/03/5
Third Party Advisory http://www.oracle.com/technetwork/topics/security/bulletinjul2016-3090568.html
Third Party Advisory http://www.securityfocus.com/bid/82071
Third Party Advisory http://www.ubuntu.com/usn/USN-2994-1
Issue Tracking https://bugzilla.gnome.org/show_bug.cgi?id=749115
Third Party Advisory https://security.gentoo.org/glsa/201701-37
Third Party Advisory https://www.debian.org/security/2016/dsa-3593
Mailing List http://www.openwall.com/lists/oss-security/2016/02/03/5
Third Party Advisory http://www.oracle.com/technetwork/topics/security/bulletinjul2016-3090568.html
Third Party Advisory http://www.securityfocus.com/bid/82071
Third Party Advisory http://www.ubuntu.com/usn/USN-2994-1
Issue Tracking https://bugzilla.gnome.org/show_bug.cgi?id=749115
Third Party Advisory https://security.gentoo.org/glsa/201701-37
Third Party Advisory https://www.debian.org/security/2016/dsa-3593
48
/ 100
moderate-risk
Severity 26/34 · High
Exploitability 9/34 · Low
Exposure 13/34 · Low