CVE-2015-8035
Description
libxml2 2.9.1 xz_decomp fails to detect compression errors, allowing denial of service via crafted XML data.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
libxml2 2.9.1 xz_decomp fails to detect compression errors, allowing denial of service via crafted XML data.
Vulnerability
The xz_decomp function in xzlib.c of libxml2 version 2.9.1 does not properly detect compression errors when processing XML data compressed with LZMA (xz). This flaw allows a context-dependent attacker to cause a denial of service by providing crafted XML that triggers an infinite loop or process hang.
Exploitation
An attacker can exploit this vulnerability by supplying a specially crafted XML file that, when parsed by an application using libxml2 2.9.1, causes the xz_decomp function to fail to detect a compression error, leading to a hang. No authentication is required if the attacker can deliver the XML to the parser.
Impact
Successful exploitation results in a denial of service (process hang), potentially affecting the availability of the application or service using libxml2.
Mitigation
The issue was fixed in libxml2 version 2.9.2. Apple included the fix in OS X El Capitan 10.11.4, iOS 9.3, watchOS 2.2, and tvOS 9.2 [1][2][3][4].
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
26- cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*
cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
- Range: = 2.9.1
- osv-coords17 versionspkg:rpm/opensuse/libxml2&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/ruby3.2-rubygem-nokogiri&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/rubygem-nokogiri&distro=openSUSE%20Tumbleweedpkg:rpm/suse/libxml2&distro=SUSE%20Linux%20Enterprise%20Desktop%2012pkg:rpm/suse/libxml2&distro=SUSE%20Linux%20Enterprise%20Desktop%2012%20SP1pkg:rpm/suse/libxml2&distro=SUSE%20Linux%20Enterprise%20Server%2012pkg:rpm/suse/libxml2&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP1pkg:rpm/suse/libxml2&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012pkg:rpm/suse/libxml2&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP1pkg:rpm/suse/libxml2&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012pkg:rpm/suse/libxml2&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP1pkg:rpm/suse/python-libxml2&distro=SUSE%20Linux%20Enterprise%20Desktop%2012pkg:rpm/suse/python-libxml2&distro=SUSE%20Linux%20Enterprise%20Desktop%2012%20SP1pkg:rpm/suse/python-libxml2&distro=SUSE%20Linux%20Enterprise%20Server%2012pkg:rpm/suse/python-libxml2&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP1pkg:rpm/suse/python-libxml2&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012pkg:rpm/suse/python-libxml2&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP1
< 2.9.4-1.22+ 16 more
- (no CPE)range: < 2.9.4-1.22
- (no CPE)range: < 1.13.9-1.7
- (no CPE)range: < 1.6.8.1-1.3
- (no CPE)range: < 2.9.1-13.1
- (no CPE)range: < 2.9.1-13.1
- (no CPE)range: < 2.9.1-13.1
- (no CPE)range: < 2.9.1-13.1
- (no CPE)range: < 2.9.1-13.1
- (no CPE)range: < 2.9.1-13.1
- (no CPE)range: < 2.9.1-13.1
- (no CPE)range: < 2.9.1-13.1
- (no CPE)range: < 2.9.1-13.1
- (no CPE)range: < 2.9.1-13.1
- (no CPE)range: < 2.9.1-13.1
- (no CPE)range: < 2.9.1-13.1
- (no CPE)range: < 2.9.1-13.1
- (no CPE)range: < 2.9.1-13.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
25- bugzilla.gnome.org/show_bug.cginvdExploit
- xmlsoft.org/news.htmlnvdVendor Advisory
- lists.apple.com/archives/security-announce/2016/Mar/msg00000.htmlnvd
- lists.apple.com/archives/security-announce/2016/Mar/msg00001.htmlnvd
- lists.apple.com/archives/security-announce/2016/Mar/msg00002.htmlnvd
- lists.apple.com/archives/security-announce/2016/Mar/msg00004.htmlnvd
- lists.fedoraproject.org/pipermail/package-announce/2016-February/177341.htmlnvd
- lists.fedoraproject.org/pipermail/package-announce/2016-February/177381.htmlnvd
- lists.opensuse.org/opensuse-updates/2015-12/msg00120.htmlnvd
- lists.opensuse.org/opensuse-updates/2016-01/msg00031.htmlnvd
- rhn.redhat.com/errata/RHSA-2016-1089.htmlnvd
- www.debian.org/security/2015/dsa-3430nvd
- www.openwall.com/lists/oss-security/2015/11/02/2nvd
- www.openwall.com/lists/oss-security/2015/11/02/4nvd
- www.openwall.com/lists/oss-security/2015/11/03/1nvd
- www.securityfocus.com/bid/77390nvd
- www.securitytracker.com/id/1034243nvd
- www.ubuntu.com/usn/USN-2812-1nvd
- h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplaynvd
- h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplaynvd
- security.gentoo.org/glsa/201701-37nvd
- support.apple.com/HT206166nvd
- support.apple.com/HT206167nvd
- support.apple.com/HT206168nvd
- support.apple.com/HT206169nvd
News mentions
0No linked articles in our index yet.