CVE-2022-23308

Q: What is the severity of CVE-2022-23308?

CVE-2022-23308 has a CVSS score of 7.5 (HIGH). CVE-2022-23308 is a use-after-free vulnerability in libxml2's validation component that allows attackers to potentially execute arbitrary code or cause denial of service. It affects applications that process untrusted XML documents using libxml2's validation features. This vulnerability impacts any software using vulnerable versions of libxml2 for XML parsing and validation.

7.5 HIGH

📋 TL;DR

CVE-2022-23308 is a use-after-free vulnerability in libxml2's validation component that allows attackers to potentially execute arbitrary code or cause denial of service. It affects applications that process untrusted XML documents using libxml2's validation features. This vulnerability impacts any software using vulnerable versions of libxml2 for XML parsing and validation.

💻 Affected Systems

Products:

libxml2
Any software using libxml2 library

Versions: libxml2 versions before 2.9.13

Operating Systems: Linux, Unix-like systems, Windows, macOS

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability is triggered during XML validation of documents with ID and IDREF attributes

📦 What is this software?

Communications Cloud Native Core Network Function Cloud Native Environment by Oracle

View all CVEs affecting Communications Cloud Native Core Network Function Cloud Native Environment →

Communications Cloud Native Core Network Repository Function by Oracle

View all CVEs affecting Communications Cloud Native Core Network Repository Function →

Communications Cloud Native Core Network Repository Function by Oracle

View all CVEs affecting Communications Cloud Native Core Network Repository Function →

Communications Cloud Native Core Network Slice Selection Function by Oracle

View all CVEs affecting Communications Cloud Native Core Network Slice Selection Function →

Communications Cloud Native Core Unified Data Repository by Oracle

View all CVEs affecting Communications Cloud Native Core Unified Data Repository →

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

H300e Firmware by Netapp

View all CVEs affecting H300e Firmware →

H300s Firmware by Netapp

View all CVEs affecting H300s Firmware →

H410c Firmware by Netapp

View all CVEs affecting H410c Firmware →

H410s Firmware by Netapp

View all CVEs affecting H410s Firmware →

H500e Firmware by Netapp

View all CVEs affecting H500e Firmware →

H500s Firmware by Netapp

View all CVEs affecting H500s Firmware →

H700e Firmware by Netapp

View all CVEs affecting H700e Firmware →

H700s Firmware by Netapp

View all CVEs affecting H700s Firmware →

Ipados by Apple

View all CVEs affecting Ipados →

Iphone Os by Apple

View all CVEs affecting Iphone Os →

Libxml2 by Xmlsoft

View all CVEs affecting Libxml2 →

Mac Os X by Apple

View all CVEs affecting Mac Os X →

Mac Os X by Apple

View all CVEs affecting Mac Os X →

Mac Os X by Apple

View all CVEs affecting Mac Os X →

Mac Os X by Apple

View all CVEs affecting Mac Os X →

Mac Os X by Apple

View all CVEs affecting Mac Os X →

Mac Os X by Apple

View all CVEs affecting Mac Os X →

Mac Os X by Apple

View all CVEs affecting Mac Os X →

Mac Os X by Apple

View all CVEs affecting Mac Os X →

Mac Os X by Apple

View all CVEs affecting Mac Os X →

Mac Os X by Apple

View all CVEs affecting Mac Os X →

Mac Os X by Apple

View all CVEs affecting Mac Os X →

Mac Os X by Apple

View all CVEs affecting Mac Os X →

Mac Os X by Apple

View all CVEs affecting Mac Os X →

Macos by Apple

macOS is Apple's desktop and laptop operating system powering Mac computers used by millions of professionals, developers, creative professionals, and enterprise users worldwide. Built on a Unix foundation with the Darwin kernel and modern Cocoa frameworks, macOS delivers a seamless ecosystem integr...

Learn more about Macos →

Macos by Apple

Learn more about Macos →

Manageability Software Development Kit by Netapp

View all CVEs affecting Manageability Software Development Kit →

Mysql Workbench by Oracle

View all CVEs affecting Mysql Workbench →

Ontap Select Deploy Administration Utility by Netapp

View all CVEs affecting Ontap Select Deploy Administration Utility →

Smi S Provider by Netapp

View all CVEs affecting Smi S Provider →

Snapdrive by Netapp

View all CVEs affecting Snapdrive →

Snapmanager by Netapp

View all CVEs affecting Snapmanager →

Solidfire \& Hci Management Node by Netapp

View all CVEs affecting Solidfire \& Hci Management Node →

Solidfire\, Enterprise Sds \& Hci Storage Node by Netapp

View all CVEs affecting Solidfire\, Enterprise Sds \& Hci Storage Node →

Tvos by Apple

View all CVEs affecting Tvos →

Watchos by Apple

View all CVEs affecting Watchos →

Zfs Storage Appliance Kit by Oracle

View all CVEs affecting Zfs Storage Appliance Kit →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise if exploited in a privileged context

🟠

Likely Case

Application crash (denial of service) or memory corruption leading to potential information disclosure

🟢

If Mitigated

Limited impact if proper input validation and sandboxing are implemented

🌐 Internet-Facing: MEDIUM - Exploitation requires processing untrusted XML input, which is common in web applications

🏢 Internal Only: LOW - Requires specific XML processing scenarios that may be less common internally

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires crafting malicious XML documents with specific ID/IDREF attributes

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: libxml2 2.9.13 and later

Vendor Advisory: https://gitlab.gnome.org/GNOME/libxml2/-/issues/235

Restart Required: Yes

Instructions:

1. Update libxml2 to version 2.9.13 or later. 2. Recompile applications using libxml2. 3. Restart affected services.

🔧 Temporary Workarounds

Disable XML validation

all

Disable XML validation features in applications if not required

Application-specific configuration changes

Input filtering

all

Filter or reject XML documents containing ID/IDREF attributes

Implement XML schema validation before libxml2 processing

🧯 If You Can't Patch

Implement strict input validation for XML documents
Run applications in sandboxed/containerized environments with limited privileges

🔍 How to Verify

Check if Vulnerable:

Check libxml2 version: xml2-config --version or dpkg -l libxml2

Check Version:

xml2-config --version || dpkg -l libxml2 || rpm -q libxml2

Verify Fix Applied:

Verify version is 2.9.13 or higher and test with known malicious XML samples

📡 Detection & Monitoring

Log Indicators:

Application crashes related to XML parsing
Memory corruption errors in logs

Network Indicators:

Unusual XML document patterns with repeated ID/IDREF attributes

SIEM Query:

source="application_logs" AND ("segmentation fault" OR "memory corruption") AND "xml"

📊 Metadata

CVE ID: CVE-2022-23308

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-416

Published: February 26, 2022

Last Updated: May 5, 2025

🔗 References

http://seclists.org/fulldisclosure/2022/May/33 Mailing List,Third Party Advisory
http://seclists.org/fulldisclosure/2022/May/34 Mailing List,Third Party Advisory
http://seclists.org/fulldisclosure/2022/May/35 Mailing List,Third Party Advisory
http://seclists.org/fulldisclosure/2022/May/36 Mailing List,Third Party Advisory
http://seclists.org/fulldisclosure/2022/May/37 Mailing List,Third Party Advisory
http://seclists.org/fulldisclosure/2022/May/38 Mailing List,Third Party Advisory
https://github.com/GNOME/libxml2/commit/652dd12a858989b14eed4e84e453059cd3ba340e Patch,Third Party Advisory
https://gitlab.gnome.org/GNOME/libxml2/-/blob/v2.9.13/NEWS Release Notes,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2022/04/msg00004.html Mailing List,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LA3MWWAYZADWJ5F6JOUBX65UZAMQB7RF/
https://security.gentoo.org/glsa/202210-03 Third Party Advisory
https://security.netapp.com/advisory/ntap-20220331-0008/ Third Party Advisory
https://support.apple.com/kb/HT213253 Third Party Advisory
https://support.apple.com/kb/HT213254 Third Party Advisory
https://support.apple.com/kb/HT213255 Third Party Advisory
https://support.apple.com/kb/HT213256 Third Party Advisory
https://support.apple.com/kb/HT213257 Third Party Advisory
https://support.apple.com/kb/HT213258 Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2022.html Patch,Third Party Advisory
http://seclists.org/fulldisclosure/2022/May/33 Mailing List,Third Party Advisory
http://seclists.org/fulldisclosure/2022/May/34 Mailing List,Third Party Advisory
http://seclists.org/fulldisclosure/2022/May/35 Mailing List,Third Party Advisory
http://seclists.org/fulldisclosure/2022/May/36 Mailing List,Third Party Advisory
http://seclists.org/fulldisclosure/2022/May/37 Mailing List,Third Party Advisory
http://seclists.org/fulldisclosure/2022/May/38 Mailing List,Third Party Advisory
https://github.com/GNOME/libxml2/commit/652dd12a858989b14eed4e84e453059cd3ba340e Patch,Third Party Advisory
https://gitlab.gnome.org/GNOME/libxml2/-/blob/v2.9.13/NEWS Release Notes,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2022/04/msg00004.html Mailing List,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LA3MWWAYZADWJ5F6JOUBX65UZAMQB7RF/
https://security.gentoo.org/glsa/202210-03 Third Party Advisory
https://security.netapp.com/advisory/ntap-20220331-0008/ Third Party Advisory
https://support.apple.com/kb/HT213253 Third Party Advisory
https://support.apple.com/kb/HT213254 Third Party Advisory
https://support.apple.com/kb/HT213255 Third Party Advisory
https://support.apple.com/kb/HT213256 Third Party Advisory
https://support.apple.com/kb/HT213257 Third Party Advisory
https://support.apple.com/kb/HT213258 Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2022.html Patch,Third Party Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Active Iq Unified Manager by Netapp

Bootstrap Os by Netapp

Clustered Data Ontap by Netapp

Clustered Data Ontap Antivirus Connector by Netapp

Communications Cloud Native Core Binding Support Function by Oracle

Communications Cloud Native Core Network Function Cloud Native Environment by Oracle

Communications Cloud Native Core Network Repository Function by Oracle

Communications Cloud Native Core Network Repository Function by Oracle

Communications Cloud Native Core Network Slice Selection Function by Oracle

Communications Cloud Native Core Unified Data Repository by Oracle

Debian Linux by Debian

Fedora by Fedoraproject

H300e Firmware by Netapp

H300s Firmware by Netapp

H410c Firmware by Netapp

H410s Firmware by Netapp

H500e Firmware by Netapp

H500s Firmware by Netapp

H700e Firmware by Netapp

H700s Firmware by Netapp

Ipados by Apple

Iphone Os by Apple

Libxml2 by Xmlsoft

Mac Os X by Apple

Mac Os X by Apple

Mac Os X by Apple

Mac Os X by Apple

Mac Os X by Apple

Mac Os X by Apple

Mac Os X by Apple

Mac Os X by Apple

Mac Os X by Apple

Mac Os X by Apple

Mac Os X by Apple

Mac Os X by Apple

Mac Os X by Apple

Macos by Apple

Macos by Apple

Manageability Software Development Kit by Netapp

Mysql Workbench by Oracle

Ontap Select Deploy Administration Utility by Netapp

Smi S Provider by Netapp

Snapdrive by Netapp

Snapmanager by Netapp

Solidfire \& Hci Management Node by Netapp

Solidfire\, Enterprise Sds \& Hci Storage Node by Netapp

Tvos by Apple

Watchos by Apple

Zfs Storage Appliance Kit by Oracle

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable XML validation

Input filtering

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities