CVE-2019-20388

Q: What is the severity of CVE-2019-20388?

CVE-2019-20388 has a CVSS score of 7.5 (HIGH). This vulnerability in libxml2 2.9.10 causes a memory leak in the xmlSchemaValidateStream function when processing XML schemas. It affects any application using libxml2 for XML schema validation, potentially leading to denial of service through resource exhaustion. Systems running vulnerable versions of libxml2 are affected.

7.5 HIGH

Denial of Service

📋 TL;DR

This vulnerability in libxml2 2.9.10 causes a memory leak in the xmlSchemaValidateStream function when processing XML schemas. It affects any application using libxml2 for XML schema validation, potentially leading to denial of service through resource exhaustion. Systems running vulnerable versions of libxml2 are affected.

💻 Affected Systems

Products:

libxml2

Versions: libxml2 2.9.10 specifically

Operating Systems: Linux, Unix-like systems, Any OS using libxml2

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems using xmlSchemaValidateStream function for XML schema validation.

📦 What is this software?

Cloud Backup by Netapp

View all CVEs affecting Cloud Backup →

Clustered Data Ontap by Netapp

View all CVEs affecting Clustered Data Ontap →

Communications Cloud Native Core Network Function Cloud Native Environment by Oracle

View all CVEs affecting Communications Cloud Native Core Network Function Cloud Native Environment →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Sustained exploitation could cause memory exhaustion leading to application crashes or system instability, resulting in denial of service.

🟠

Likely Case

Gradual memory consumption over time causing degraded performance or eventual application crashes in systems processing numerous XML schemas.

🟢

If Mitigated

Minimal impact with proper monitoring and resource limits in place; memory usage would be contained.

🌐 Internet-Facing: MEDIUM - Internet-facing applications processing untrusted XML schemas could be targeted for DoS attacks.

🏢 Internal Only: LOW - Internal systems typically process trusted XML schemas, reducing exploitation likelihood.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires ability to trigger XML schema validation with malicious input; no authentication needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: libxml2 2.9.10 with patch or later versions

Vendor Advisory: https://gitlab.gnome.org/GNOME/libxml2/merge_requests/68

Restart Required: Yes

Instructions:

1. Update libxml2 package using system package manager. 2. For Linux: 'sudo apt update && sudo apt upgrade libxml2' (Debian/Ubuntu) or 'sudo yum update libxml2' (RHEL/CentOS). 3. Restart affected applications/services using libxml2.

🔧 Temporary Workarounds

Limit XML schema processing

all

Restrict or monitor XML schema validation operations to prevent excessive memory consumption

Implement application-level limits on XML schema processing frequency

Memory usage monitoring

linux

Monitor memory consumption of processes using libxml2 XML schema validation

Use monitoring tools like top, htop, or system monitoring solutions

🧯 If You Can't Patch

Implement strict input validation and sanitization for XML schemas
Deploy memory usage monitoring and alerting for processes using libxml2

🔍 How to Verify

Check if Vulnerable:

Check libxml2 version: 'xml2-config --version' or 'dpkg -l libxml2' or 'rpm -q libxml2'

Check Version:

xml2-config --version

Verify Fix Applied:

Verify version is patched: version should not be exactly 2.9.10 without patch; check with package manager for applied updates

📡 Detection & Monitoring

Log Indicators:

Unusual memory consumption patterns in application logs
Application crashes related to memory exhaustion

Network Indicators:

Repeated XML schema validation requests to vulnerable endpoints

SIEM Query:

Process memory usage > threshold AND process name contains applications using libxml2

📊 Metadata

CVE ID: CVE-2019-20388

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-401

Published: January 21, 2020

Last Updated: December 17, 2025

🔗 References

http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00047.html Mailing List,Third Party Advisory
https://gitlab.gnome.org/GNOME/libxml2/merge_requests/68 Patch,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2020/09/msg00009.html Mailing List,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/545SPOI3ZPPNPX4TFRIVE4JVRTJRKULL/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5R55ZR52RMBX24TQTWHCIWKJVRV6YAWI/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JDPF3AAVKUAKDYFMFKSIQSVVS3EEFPQH/
https://security.gentoo.org/glsa/202010-04 Third Party Advisory
https://security.netapp.com/advisory/ntap-20200702-0005/ Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.html Patch,Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2020.html Patch,Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2022.html
https://www.oracle.com/security-alerts/cpuoct2021.html Patch,Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00047.html Mailing List,Third Party Advisory
https://gitlab.gnome.org/GNOME/libxml2/merge_requests/68 Patch,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2020/09/msg00009.html Mailing List,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/545SPOI3ZPPNPX4TFRIVE4JVRTJRKULL/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5R55ZR52RMBX24TQTWHCIWKJVRV6YAWI/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JDPF3AAVKUAKDYFMFKSIQSVVS3EEFPQH/
https://security.gentoo.org/glsa/202010-04 Third Party Advisory
https://security.netapp.com/advisory/ntap-20200702-0005/ Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.html Patch,Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2020.html Patch,Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2022.html
https://www.oracle.com/security-alerts/cpuoct2021.html Patch,Third Party Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Cloud Backup by Netapp

Clustered Data Ontap by Netapp

Communications Cloud Native Core Network Function Cloud Native Environment by Oracle

Debian Linux by Debian

Enterprise Manager Base Platform by Oracle

Enterprise Manager Base Platform by Oracle

Enterprise Manager Ops Center by Oracle

Fedora by Fedoraproject

Fedora by Fedoraproject

Fedora by Fedoraproject

H300e Firmware by Netapp

H300s Firmware by Netapp

H410s Firmware by Netapp

H500e Firmware by Netapp

H500s Firmware by Netapp

H700e Firmware by Netapp

H700s Firmware by Netapp

Leap by Opensuse

Libxml2 by Xmlsoft

Mysql Workbench by Oracle

Ontap Select Deploy Administration Utility by Netapp

Peoplesoft Enterprise Peopletools by Oracle

Plug In For Symantec Netbackup by Netapp

Real User Experience Insight by Oracle

Real User Experience Insight by Oracle

Real User Experience Insight by Oracle

Smi S Provider by Netapp

Snapdrive by Netapp

Steelstore Cloud Integrated Storage by Netapp

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Limit XML schema processing

Memory usage monitoring

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities