Cyber Posture

CVE-2024-56171

High

Published: 18 February 2025

Published
18 February 2025
Modified
03 November 2025
KEV Added
Patch
CVSS Score 7.8 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N
EPSS Score 0.0018 39.6th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-56171 is a high-severity Use After Free (CWE-416) vulnerability in Xmlsoft Libxml2. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 39.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly remediates the use-after-free vulnerability by requiring timely installation of libxml2 patches to versions 2.12.10 or 2.13.6.

SI-16 Memory Protection good match
prevent

Implements memory safeguards such as ASLR and DEP to prevent unauthorized code execution from exploiting the use-after-free in xmlschemas.c.

SI-10 Information Input Validation partial match
prevent

Validates XML documents and schemas prior to processing to block crafted inputs that trigger the vulnerability during schema validation.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
attack.mitre.org →
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
attack.mitre.org →
Why these techniques?

Use-after-free in XML schema validation enables memory corruption/RCE via crafted local or remote XML input, directly mapping to privilege escalation and exploitation of applications or client execution.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

libxml2 before 2.12.10 and 2.13.x before 2.13.6 has a use-after-free in xmlSchemaIDCFillNodeTables and xmlSchemaBubbleIDCNodeTables in xmlschemas.c. To exploit this, a crafted XML document must be validated against an XML schema with certain identity constraints, or a crafted XML schema must…

more

be used.

Deeper analysisAI

CVE-2024-56171 is a use-after-free vulnerability (CWE-416) in the libxml2 library, affecting versions before 2.12.10 and 2.13.x before 2.13.6. The flaw resides in the functions xmlSchemaIDCFillNodeTables and xmlSchemaBubbleIDCNodeTables within xmlschemas.c. Exploitation occurs when processing crafted XML inputs during schema validation.

A local attacker with no privileges (PR:N) can exploit this vulnerability by supplying a crafted XML document for validation against an XML schema featuring specific identity constraints, or by providing a crafted XML schema. The attack requires high complexity (AC:H) and local access (AV:L) with no user interaction (UI:N). Successful exploitation yields high confidentiality and integrity impacts (C:H/I:H) with no availability impact (A:N) but changed scope (S:C), as reflected in the CVSS v3.1 base score of 7.8.

Advisories recommend upgrading to libxml2 2.12.10 or later in the 2.12 branch, or 2.13.6 or later in the 2.13 branch to mitigate the issue. Further technical details and discussion appear in the libxml2 GitLab issue (https://gitlab.gnome.org/GNOME/libxml2/-/issues/828) and full disclosure postings (http://seclists.org/fulldisclosure/2025/Apr/10, http://seclists.org/fulldisclosure/2025/Apr/11, http://seclists.org/fulldisclosure/2025/Apr/12, http://seclists.org/fulldisclosure/2025/Apr/13).

Details

CWE(s)
CWE-416

Affected Products

xmlsoft
libxml2
≤ 2.12.10 · 2.13.0 — 2.13.6
netapp
hci compute node
all versions
netapp
h410c firmware
all versions
netapp
h300s firmware
all versions
netapp
h500s firmware
all versions
netapp
h700s firmware
all versions
netapp
h410s firmware
all versions
netapp
active iq unified manager
all versions
netapp
manageability software development kit
all versions
netapp
ontap
9
+1 more product configuration(s) — see NVD for full list

CVEs Like This One

CVE-2025-24928Same product: Netapp Active Iq Unified Manager
CVE-2024-54085Same product: Netapp H300S
CVE-2025-26512Same product class: NAS / storage appliance
CVE-2025-1736Same product: Netapp Ontap
CVE-2025-1861Same product: Netapp Ontap
CVE-2025-27423Same product: Netapp Hci Compute Node
CVE-2025-0725Same product: Netapp Solidfire \& Hci Management Node
CVE-2025-24813Same product: Netapp Hci Compute Node
CVE-2025-57707Same product class: NAS / storage appliance
CVE-2025-25292Same product class: NAS / storage appliance

References