CVE-2022-49043
Published: 26 January 2025
Summary
CVE-2022-49043 is a high-severity Use After Free (CWE-416) vulnerability in Xmlsoft Libxml2. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 44.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2022-49043 is a use-after-free vulnerability in the xmlXIncludeAddNode function within xinclude.c of libxml2 versions prior to 2.11.0. Libxml2 is a widely used XML processing library in various software ecosystems, including applications that parse XML with XInclude support. The flaw, classified under CWE-416, carries a CVSS v3.1 base score of 8.1 (AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H), indicating high severity due to its potential for significant impact despite requiring local access.
An unprivileged local attacker could exploit this vulnerability by triggering the use-after-free during XML processing with XInclude enabled. The attack requires high complexity, such as crafting specific malformed XML input that manipulates memory in xmlXIncludeAddNode, but demands no user interaction. Successful exploitation could result in high confidentiality, integrity, and availability impacts, potentially allowing arbitrary code execution, data corruption, or denial of service within the context of the affected process, with scope expanded due to the scope-changed metric.
Mitigation involves updating to libxml2 version 2.11.0 or later, as evidenced by the upstream patch commit at https://gitlab.gnome.org/GNOME/libxml2/-/commit/5a19e21605398cef6a8b1452477a8705cb41562b. Debian LTS users should refer to the announcement at https://lists.debian.org/debian-lts-announce/2025/02/msg00028.html for backported fixes in supported releases. Additionally, PHP integrators should review https://github.com/php/php-src/issues/17467 for related discussions on libxml2 dependency handling.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-53920
Vulnerability details
xmlXIncludeAddNode in xinclude.c in libxml2 before 2.11.0 has a use-after-free.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Use-after-free in XML library enables local arbitrary code execution via crafted input, directly facilitating exploitation for privilege escalation.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-2 mandates identification, reporting, and timely correction of software flaws, directly requiring patching of vulnerable libxml2 versions prior to 2.11.0 to eliminate the use-after-free vulnerability.
SI-16 enforces memory protection mechanisms such as ASLR, DEP, and guard pages that directly mitigate exploitation of the use-after-free in xmlXIncludeAddNode.
RA-5 requires vulnerability scanning to detect and prioritize systems affected by CVE-2022-49043 in libxml2 for subsequent remediation.