CVE-2009-2416

Multiple use-after-free vulnerabilities in libxml2 2.5.10, 2.6.16, 2.6.26, 2.6.27, and 2.6.32, and libxml 1.8.17, allow context-dependent attackers to cause a denial of service (application crash) via crafted (1) Notation or (2) Enumeration attribute types in an XML file, as demonstrated by the Codenomicon XML fuzzing framework.

Published: Aug 11, 2009
Updated: May 9, 2024
CVE: CVE-2009-2416
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 6.5
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

CVSS v2:

Severity: Low
Score: 4.3
AV:N/AC:M/Au:N/C:N/I:N/A:P

CWEs:

Affected Software
References

Software	From	Fixed in
xmlsoft / libxml2	2.6.16	2.6.16.x
xmlsoft / libxml2	2.6.32	2.6.32.x
xmlsoft / libxml2	2.6.26	2.6.26.x
xmlsoft / libxml2	2.6.27	2.6.27.x
xmlsoft / libxml	1.8.17	1.8.17.x
xmlsoft / libxml2	2.5.10	2.5.10.x
fedoraproject / fedora	11	11.x
fedoraproject / fedora	10	10.x
debian / debian_linux	4.0	4.0.x
redhat / enterprise_linux	4.0	4.0.x
redhat / enterprise_linux	5.0	5.0.x
redhat / enterprise_linux	3.0	3.0.x
canonical / ubuntu_linux	9.04	9.04.x
canonical / ubuntu_linux	8.10	8.10.x
canonical / ubuntu_linux	8.04	8.04.x
canonical / ubuntu_linux	6.06	6.06.x
google / chrome	-	2.0.172.43
apple / mac_os_x	-	10.4.11
apple / safari	-	4.0.4
apple / mac_os_x_server	10.5.0	10.5.8
apple / mac_os_x	10.5.0	10.5.8
apple / iphone_os	2.0	4.0
apple / mac_os_x	10.6.0	10.6.2
apple / mac_os_x_server	10.6.0	10.6.2
apple / mac_os_x_server	-	10.4.11
suse / linux_enterprise_server	9	9.x
suse / linux_enterprise	11.0	11.0.x
suse / linux_enterprise	10.0	10.0.x
opensuse / opensuse	10.3	11.1.x
vmware / esxi	3.5	3.5.x
vmware / esxi	4.0	4.0.x
vmware / esx	3.5	3.5.x
vmware / esx	4.0	4.0.x
vmware / vma	4.0	4.0.x
vmware / esx	3.0.3	3.0.3.x
vmware / vcenter_server	4.0	4.0.x
sun / openoffice.org	2.0.0	2.4.3
sun / openoffice.org	3.0.0	3.1.1

Vulnerability Database

289,689

CVE-2009-2416