Use-after-free in libxml2 (Alpine package)

1) Use-after-free

EUVDB-ID: #VU33135

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2016-5131

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error when processing vectors related to the XPointer range-to function. A remote attackers can cause a denial of service or execute arbitrary code on the target system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

libxml2 (Alpine package): 2.9.0-r0 - 2.9.4-r0

External links

http://git.alpinelinux.org/aports/commit/?id=1647bdc21ffc22aacee5ea142d372445d1fd5b03
http://git.alpinelinux.org/aports/commit/?id=5e57be93778177ca048236091d2814a4ad205903
http://git.alpinelinux.org/aports/commit/?id=9ba0323ae03ecb1319c9174e281260c37544fa1d
http://git.alpinelinux.org/aports/commit/?id=a6c278e2f3d21e7ffc9b25ad0cd3845c3caafcf9
http://git.alpinelinux.org/aports/commit/?id=a49c9e6942d3d44160b5470c06957e99a8191d7f
http://git.alpinelinux.org/aports/commit/?id=80f4efd8ae07abf0f36afd88e30f5a1ed1f94628
http://git.alpinelinux.org/aports/commit/?id=a8ef9c16d812122791a1c0db9b959b334dca251a
http://git.alpinelinux.org/aports/commit/?id=bcc94c075904765e11b35a719e373388fbb4cf5b
http://git.alpinelinux.org/aports/commit/?id=db47c66f69ce6d0298c4052d013b8f8728504218
http://git.alpinelinux.org/aports/commit/?id=dcaf79da3440ea80eafc856d1f3306fca8269e22
http://git.alpinelinux.org/aports/commit/?id=fe32be2999c838cc28f459e3423958e5237b0626

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.