CVE-2019-19956

Q: What is the severity of CVE-2019-19956?

CVE-2019-19956 has a CVSS score of 7.5 (HIGH). CVE-2019-19956 is a memory leak vulnerability in libxml2's XML parser that occurs when processing certain malformed XML documents. This vulnerability affects any application or system using libxml2 versions before 2.9.10 for XML parsing. Attackers could exploit this to cause denial of service through resource exhaustion.

7.5 HIGH

📋 TL;DR

CVE-2019-19956 is a memory leak vulnerability in libxml2's XML parser that occurs when processing certain malformed XML documents. This vulnerability affects any application or system using libxml2 versions before 2.9.10 for XML parsing. Attackers could exploit this to cause denial of service through resource exhaustion.

💻 Affected Systems

Products:

libxml2
Applications using libxml2 library
GNOME applications
Various Linux distributions
Siemens products listed in advisory

Versions: libxml2 versions before 2.9.10

Operating Systems: Linux, Unix-like systems, Windows (if using vulnerable libxml2)

Default Config Vulnerable: ⚠️ Yes

Notes: Any application that uses libxml2 for XML parsing is potentially vulnerable. The vulnerability is in the core library and affects all configurations that parse XML.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Sustained exploitation could lead to complete system memory exhaustion, causing denial of service and potentially crashing affected applications or systems.

🟠

Likely Case

Application instability, degraded performance, or crashes of XML processing services due to memory exhaustion over time.

🟢

If Mitigated

Limited impact with proper memory limits and monitoring; affected services might restart automatically with minimal disruption.

🌐 Internet-Facing: MEDIUM - XML parsing is common in web services, but exploitation requires sending malformed XML and typically only causes DoS rather than code execution.

🏢 Internal Only: LOW - Internal systems are less likely to receive malicious XML payloads, and DoS impact is typically less critical internally.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending malformed XML to a vulnerable parser. Memory leak exploits are relatively straightforward to implement.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: libxml2 2.9.10 and later

Vendor Advisory: https://gitlab.gnome.org/GNOME/libxml2/commit/5a02583c7e683896d84878bd90641d8d9b0d0549

Restart Required: Yes

Instructions:

1. Update libxml2 to version 2.9.10 or later using your distribution's package manager. 2. For Linux: 'sudo apt update && sudo apt upgrade libxml2' (Debian/Ubuntu) or 'sudo yum update libxml2' (RHEL/CentOS). 3. Restart any services or applications using libxml2. 4. Recompile any statically linked applications with the updated library.

🔧 Temporary Workarounds

XML Input Validation

all

Implement strict XML schema validation and size limits on XML input to prevent malformed documents from reaching the vulnerable parser.

Memory Limit Enforcement

all

Set memory limits on processes using libxml2 to contain memory exhaustion impact.

ulimit -v [LIMIT_IN_KB] (Linux)
Set-ProcessMitigation (Windows)

🧯 If You Can't Patch

Implement Web Application Firewall (WAF) rules to block malformed XML payloads
Monitor memory usage of XML parsing services and implement automatic restart thresholds

🔍 How to Verify

Check if Vulnerable:

Check libxml2 version: 'xml2-config --version' or 'dpkg -l | grep libxml2' or 'rpm -qa | grep libxml2'. If version is below 2.9.10, system is vulnerable.

Check Version:

xml2-config --version || dpkg -l | grep libxml2 || rpm -qa | grep libxml2

Verify Fix Applied:

After update, verify version is 2.9.10 or higher using same commands. Test XML parsing functionality remains operational.

📡 Detection & Monitoring

Log Indicators:

Unusual memory consumption patterns
Application crashes or restarts during XML processing
High memory usage alerts

Network Indicators:

Repeated XML payloads to XML parsing endpoints
Malformed XML structures in network traffic

SIEM Query:

source="*xml*" AND (event="crash" OR event="restart" OR memory_usage>90%) OR (http_request CONTAINS "<?xml" AND payload_size>100KB)

📊 Metadata

CVE ID: CVE-2019-19956

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-401

Published: December 24, 2019

Last Updated: December 3, 2025

🔗 References

http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00047.html Broken Link
http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00005.html Broken Link
https://cert-portal.siemens.com/productcert/pdf/ssa-292794.pdf Third Party Advisory
https://gitlab.gnome.org/GNOME/libxml2/commit/5a02583c7e683896d84878bd90641d8d9b0d0549 Patch,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2019/12/msg00032.html Mailing List,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2020/09/msg00009.html Mailing List,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5R55ZR52RMBX24TQTWHCIWKJVRV6YAWI/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JDPF3AAVKUAKDYFMFKSIQSVVS3EEFPQH/
https://security.netapp.com/advisory/ntap-20200114-0002/ Third Party Advisory
https://us-cert.cisa.gov/ics/advisories/icsa-21-103-08 Third Party Advisory,US Government Resource
https://usn.ubuntu.com/4274-1/ Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2020.html Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00047.html Broken Link
http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00005.html Broken Link
https://cert-portal.siemens.com/productcert/pdf/ssa-292794.pdf Third Party Advisory
https://gitlab.gnome.org/GNOME/libxml2/commit/5a02583c7e683896d84878bd90641d8d9b0d0549 Patch,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2019/12/msg00032.html Mailing List,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2020/09/msg00009.html Mailing List,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5R55ZR52RMBX24TQTWHCIWKJVRV6YAWI/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JDPF3AAVKUAKDYFMFKSIQSVVS3EEFPQH/
https://security.netapp.com/advisory/ntap-20200114-0002/ Third Party Advisory
https://us-cert.cisa.gov/ics/advisories/icsa-21-103-08 Third Party Advisory,US Government Resource
https://usn.ubuntu.com/4274-1/ Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2020.html Third Party Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Active Iq Unified Manager by Netapp

Clustered Data Ontap by Netapp

Clustered Data Ontap Antivirus Connector by Netapp

Debian Linux by Debian

Debian Linux by Debian

Fedora by Fedoraproject

Fedora by Fedoraproject

Libxml2 by Xmlsoft

Manageability Software Development Kit by Netapp

Ontap Select Deploy Administration Utility by Netapp

Real User Experience Insight by Oracle

Sinema Remote Connect Server by Siemens

Steelstore Cloud Integrated Storage by Netapp

Ubuntu Linux by Canonical

Ubuntu Linux by Canonical

Ubuntu Linux by Canonical

Ubuntu Linux by Canonical

Ubuntu Linux by Canonical

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

XML Input Validation

Memory Limit Enforcement

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities