Severity by source
CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:L/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Local vector with no privileges required to run xmlcatalog; user must actively invoke --shell mode (UI:R); impact is limited to process crash (A:L) within the unchanged xmlcatalog process scope.
Primary rating from Vendor (CERT-PL).
CVSS VectorVendor: CERT-PL
CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:L/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
libxml2 is vulnerable to multiple stack-based buffer overflows in the xmlcatalog utility when running in --shell mode. The usershell() function processes user input using fixed-size stack buffers without proper bounds checking. By supplying an overly long input line, an attacker can overflow internal buffers (command, arg, and argv) during input parsing. This results in memory corruption within the stack frame. Successful exploitation may cause a crash or potentially allow arbitrary code execution in the context of the xmlcatalog process.
This issue has been fixed in the commit c2e233fc.
NOTE: The maintainers of this project did not agree that this issue is a vulnerability and considered it a bug.
AnalysisAI
Stack-based buffer overflows in libxml2's xmlcatalog utility enable memory corruption and potential arbitrary code execution when the tool is invoked in its interactive --shell mode. The usershell() function writes user-supplied input into fixed-size stack buffers (command, arg, argv) without any length validation, allowing overflow of adjacent stack memory including return addresses. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the attacker or victim explicitly invoke the xmlcatalog utility with the --shell flag to enter interactive shell mode - this is a non-default, non-automated invocation that is not triggered during any normal XML processing workflow or library API call. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 score of 1.8 (AV:L/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:L/SC:L/SI:L/SA:N) places this at the lowest practical severity tier. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A local user on a Linux system runs xmlcatalog with the --shell flag to enter interactive mode, then supplies or pipes an excessively long input string, overflowing the fixed-size command/arg/argv buffers in usershell() and corrupting the stack frame. On systems without effective stack canaries or with exploitable memory layouts, this could permit a ROP-chain or shellcode execution within the xmlcatalog process context; on hardened systems, the realistic outcome is a process crash. … |
| Remediation | The upstream fix is available as GitLab commit c2e233fc (https://gitlab.gnome.org/GNOME/libxml2/-/commit/c2e233fc1b341685fc99621b2768b503f777a72e); a formally tagged patched release version has not been confirmed from available data - monitor the libxml2 GNOME GitLab repository for a tagged release incorporating this commit and apply it once available. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Stack-based buffer overflow in libxml2's xmlBuildQName function allows remote unauthenticated attackers to crash affecte
xpointer.c in libxml2 before 2.9.5 (as used in Apple iOS before 10, OS X before 10.12, tvOS before 10, and watchOS befor
The xmlNextChar function in libxml2 before 2.9.4 allows remote attackers to cause a denial of service (heap-based buffer
Heap-based buffer overflow in the xmlStrncat function in libxml2 before 2.9.4, as used in Apple iOS before 9.3.2, OS X b
Heap-based buffer overflow in the xmlFAParsePosCharGroup function in libxml2 before 2.9.4, as used in Apple iOS before 9
A buffer overflow was discovered in libxml2 20904-GITv2.9.4-16-g0741801. Rated high severity (CVSS 7.5), this vulnerabil
The xmlParseElementDecl function in parser.c in libxml2 before 2.9.4 allows context-dependent attackers to cause a denia
parser.c in libxml2 before 2.9.5 does not prevent infinite recursion in parameter entities. Rated high severity (CVSS 7.
The xmlBufAttrSerializeTxtContent function in xmlsave.c in libxml2 allows context-dependent attackers to cause a denial
Multiple use-after-free vulnerabilities in libxml2 2.9.0 and possibly other versions might allow context-dependent attac
The xmlDictAddString function in libxml2 before 2.9.4, as used in Apple iOS before 9.3.2, OS X before 10.11.5, tvOS befo
The xmlPArserPrintFileContextInternal function in libxml2 before 2.9.4, as used in Apple iOS before 9.3.2, OS X before 1
Same weakness CWE-121 – Stack-based Buffer Overflow
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40092
GHSA-h67q-h62w-5mjr