Miggo Logo

CVE-2022-23308: valid.c in libxml2 before 2.9.13 has a use-after-free of ID and IDREF attributes.

7.5

CVSS Score
3.1

Basic Information

EPSS Score
0.11325%
Published
2/27/2022
Updated
5/5/2025
KEV Status
No
Technology
-

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability CVE-2022-23308 describes a use-after-free of ID and IDREF attributes in valid.c of libxml2. The provided commit 652dd12a858989b14eed4e84e453059cd3ba340e addresses these issues.

  1. xmlRemoveID was vulnerable because it didn't normalize ID strings after potential entity expansion. If an entity's content was freed, xmlRemoveID (and subsequently xmlGetID) could operate on a dangling pointer. The patch adds normalization.
  2. xmlAddID and xmlAddRef were vulnerable due to faulty detection of streaming mode. This could lead to premature freeing of attribute memory that was still referenced, causing a UAF upon later access. The patch corrects the streaming mode detection logic. xmlAddID also had a weaker check for empty ID values, which was strengthened. The commit message explicitly links these flaws (lack of normalization in xmlRemoveID and broken streaming mode detection in xmlAddID/xmlAddRef) to potential use-after-free conditions. The functions xmlValidCtxtNormalizeAttributeValue and xmlValidNormalizeAttributeValue were refactored to use a new helper xmlValidNormalizeString, but the primary UAF vulnerabilities stemmed from the logic within xmlRemoveID, xmlAddID, and xmlAddRef as described.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

v*li*.* in li*xml* ***or* *.*.** **s * us*-**t*r-*r** o* I* *n* I*R** *ttri*ut*s.

Reasoning

T** vuln*r**ility *V*-****-***** **s*ri**s * us*-**t*r-*r** o* I* *n* I*R** *ttri*ut*s in `v*li*.*` o* li*xml*. T** provi*** *ommit `****************************************` ***r*ss*s t**s* issu*s. *. `xmlR*mov*I*` w*s vuln*r**l* ****us* it *i*n't