CVE-2022-23308: valid.c in libxml2 before 2.9.13 has a use-after-free of ID and IDREF attributes.
7.5
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.11325%
CWE
Published
2/27/2022
Updated
5/5/2025
KEV Status
No
Technology
-
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability CVE-2022-23308 describes a use-after-free of ID and IDREF attributes in valid.c
of libxml2. The provided commit 652dd12a858989b14eed4e84e453059cd3ba340e
addresses these issues.
xmlRemoveID
was vulnerable because it didn't normalize ID strings after potential entity expansion. If an entity's content was freed,xmlRemoveID
(and subsequentlyxmlGetID
) could operate on a dangling pointer. The patch adds normalization.xmlAddID
andxmlAddRef
were vulnerable due to faulty detection of streaming mode. This could lead to premature freeing of attribute memory that was still referenced, causing a UAF upon later access. The patch corrects the streaming mode detection logic.xmlAddID
also had a weaker check for empty ID values, which was strengthened. The commit message explicitly links these flaws (lack of normalization inxmlRemoveID
and broken streaming mode detection inxmlAddID
/xmlAddRef
) to potential use-after-free conditions. The functionsxmlValidCtxtNormalizeAttributeValue
andxmlValidNormalizeAttributeValue
were refactored to use a new helperxmlValidNormalizeString
, but the primary UAF vulnerabilities stemmed from the logic withinxmlRemoveID
,xmlAddID
, andxmlAddRef
as described.