CVE-2017-18258

Vulnerability

The xz_head function in xzlib.c of libxml2 versions prior to 2.9.6 does not restrict memory allocation during LZMA file decompression. An attacker can trigger excessive memory consumption by providing a crafted LZMA file that causes the decoder to allocate far more memory than required for a legitimate file. This impacts all users of libxml2 below the fixed 2.9.6 release [1][2].

Exploitation

An attacker needs only to supply a specially crafted LZMA file to an application that uses libxml2 for parsing, such as via a network service or when processing user-uploaded files. The attack requires no authentication or special privileges; it can be delivered remotely. The file triggers a path in xz_head that requests a decompression buffer size much larger than the actual data, leading to uncontrolled growth of allocated memory [1][4].

Impact

Successful exploitation leads to uncontrolled memory consumption, resulting in a denial of service (DoS) as the libxml2 process exhausts system memory. This can cause the affected application or service to become unresponsive or crash. No information disclosure or code execution is reported from this vulnerability [1][2].

Mitigation

Fixed in libxml2 version 2.9.6, released on 2017-11-28 [1]. Users should upgrade to 2.9.6 or later. For distributions like Ubuntu, the fix was included in updates such as USN-3739-1 (e.g., libxml2 version 2.9.4+dfsg1-6.5ubuntu1 for Ubuntu 18.04 LTS) [2]. Ruby users relying on nokogiri must update to version 1.8.2 or later, which bundles the fixed libxml2 [3][4]. No workaround is available if upgrading is not possible. The CVE is not listed in CISA's Known Exploited Vulnerabilities catalog.