Your submission was sent successfully! Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates about Ubuntu and upcoming events where you can meet our team.Close


Published: 29 August 2023

** DISPUTED ** Xmlsoft Libxml2 v2.11.0 was discovered to contain an out-of-bounds read via the xmlSAX2StartElement() function at /libxml2/SAX2.c. This vulnerability allows attackers to cause a Denial of Service (DoS) via supplying a crafted XML file. NOTE: the vendor's position is that the product does not support the legacy SAX1 interface with custom callbacks; there is a crash even without crafted input.


as explained by upstream in issue #535, this is not considered a
security issue, but, instead, a mode of operation that was not
working properly, regardless of the input provided. It is also
not possible to reproduce the issue in versions older than
2.11.0, meaning, no Ubuntu releases as of 2022-11-21 would
allow this, the provided PoC not being able to generate the crash
on these releases.



Cvss 3 Severity Score


Score breakdown


Package Release Status
Launchpad, Ubuntu, Debian
bionic Not vulnerable
(see notes)
focal Not vulnerable
(see notes)
jammy Not vulnerable
(see notes)
lunar Not vulnerable
(see notes)
mantic Not vulnerable
(see notes)
trusty Not vulnerable
(see notes)
upstream Needs triage

xenial Not vulnerable
(see notes)

Severity score breakdown

Parameter Value
Base score 6.5
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Scope Unchanged
Confidentiality None
Integrity impact None
Availability impact High
Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H