CVE-2023-39615

MEDIUM EPSS 47.2%
Published Aug 29, 20232y ago · Modified Jun 17, 20261w ago
6.5 CVSS 3.1
Medium
Find Similar
Published Aug 29, 2023 2y ago
Last Modified Jun 17, 2026 1w ago

Description

Xmlsoft Libxml2 v2.11.0 was discovered to contain an out-of-bounds read via the xmlSAX2StartElement() function at /libxml2/SAX2.c. This vulnerability allows attackers to cause a Denial of Service (DoS) via supplying a crafted XML file. NOTE: the vendor's position is that the product does not support the legacy SAX1 interface with custom callbacks; there is a crash even without crafted input.

CVSS Details

Base Score
6.5
Exploitability
2.8
Impact
3.6
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction Required
Scope Unchanged
Confidentiality None
Integrity None
Availability High

Threat Intelligence

EPSS Exploit Probability
47.2% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available

Weaknesses 1

CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer Memory Safety

Affected Products 1

VendorProductVersionRange
xmlsoftlibxml22.11.0any

References 2

  • gitlab.gnome.org https://gitlab.gnome.org/GNOME/libxml2/-/issues/535
    ExploitIssue TrackingPatch
  • lists.debian.org https://lists.debian.org/debian-lts-announce/2025/02/msg00028.html

Remediation

  • gitlab.gnome.org https://gitlab.gnome.org/GNOME/libxml2/-/issues/535
    ExploitIssue TrackingPatch