CVE-2023-45322

MEDIUM EPSS 52.8%
Published Oct 6, 20232y ago · Modified Jun 17, 20261w ago
6.5 CVSS 3.1
Medium
Find Similar
Published Oct 6, 2023 2y ago
Last Modified Jun 17, 2026 1w ago

Description

libxml2 through 2.11.5 has a use-after-free that can only occur after a certain memory allocation fails. This occurs in xmlUnlinkNode in tree.c. NOTE: the vendor's position is "I don't think these issues are critical enough to warrant a CVE ID ... because an attacker typically can't control when memory allocations fail."

CVSS Details

Base Score
6.5
Exploitability
2.8
Impact
3.6
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction Required
Scope Unchanged
Confidentiality None
Integrity None
Availability High

Threat Intelligence

EPSS Exploit Probability
52.8% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-416 Use After Free Memory Safety

Affected Products 1

VendorProductVersionRange
xmlsoftlibxml2* ≤2.11.5

References 4

  • openwall.com http://www.openwall.com/lists/oss-security/2023/10/06/5
    Mailing ListPatchThird Party Advisory
  • gitlab.gnome.org https://gitlab.gnome.org/GNOME/libxml2/-/issues/344
    Issue TrackingPatchVendor Advisory
  • gitlab.gnome.org https://gitlab.gnome.org/GNOME/libxml2/-/issues/583
    Issue TrackingPatchVendor Advisory
  • lists.debian.org https://lists.debian.org/debian-lts-announce/2025/02/msg00028.html

Remediation

  • openwall.com http://www.openwall.com/lists/oss-security/2023/10/06/5
    Mailing ListPatchThird Party Advisory
  • gitlab.gnome.org https://gitlab.gnome.org/GNOME/libxml2/-/issues/344
    Issue TrackingPatchVendor Advisory
  • gitlab.gnome.org https://gitlab.gnome.org/GNOME/libxml2/-/issues/583
    Issue TrackingPatchVendor Advisory