An issue was discovered in libxml2 before 2.10.4. When hashing empty dict strings in a crafted XML document, xmlDictComputeFastKey in dict.c can produce non-deterministic values, leading to various logic and memory errors, such as a double free. This behavior occurs because there is an attempt to use the first byte of an empty string, and any value is possible (not solely the 0 value).
The product calls free() twice on the same memory address, potentially leading to modification of unexpected memory locations.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Libxml2 | Xmlsoft | * | 2.10.4 (excluding) |
| Red Hat Enterprise Linux 8 | RedHat | libxml2-0:2.9.7-16.el8_8.1 | * |
| Red Hat Enterprise Linux 8 | RedHat | libxml2-0:2.9.7-16.el8_8.1 | * |
| Red Hat Enterprise Linux 8.6 Extended Update Support | RedHat | libxml2-0:2.9.7-13.el8_6.4 | * |
| Red Hat Enterprise Linux 9 | RedHat | libxml2-0:2.9.13-3.el9_2.1 | * |
| Red Hat Enterprise Linux 9 | RedHat | libxml2-0:2.9.13-3.el9_2.1 | * |
| Text-Only JBCS | RedHat | libxml2 | * |
| Libxml2 | Ubuntu | bionic | * |
| Libxml2 | Ubuntu | esm-infra/xenial | * |
| Libxml2 | Ubuntu | focal | * |
| Libxml2 | Ubuntu | jammy | * |
| Libxml2 | Ubuntu | kinetic | * |
| Libxml2 | Ubuntu | lunar | * |
| Libxml2 | Ubuntu | trusty | * |
| Libxml2 | Ubuntu | trusty/esm | * |
| Libxml2 | Ubuntu | xenial | * |