2.6 Low
CVSS2
Access Vector
NETWORK
Access Complexity
HIGH
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:H/Au:N/C:N/I:N/A:P
0.01 Low
EPSS
Percentile
83.2%
The xz_decomp function in xzlib.c in libxml2 2.9.1 does not properly detect
compression errors, which allows context-dependent attackers to cause a
denial of service (process hang) via crafted XML data.
Author | Note |
---|---|
tyhicks | The test xz file does not trigger the DoS in our 2.9.2 builds. xz support was accidentally disabled in 2.9.2. Marking the devel release as ‘needed’ so that the build system fix (18b8988511b0954272cac4d6c3e6724f9dbf6e0a) doesn’t slip in without this CVE fix. |