High severityNVD Advisory· Published May 18, 2021· Updated Aug 3, 2024
CVE-2021-3518
CVE-2021-3518
Description
There's a flaw in libxml2 in versions before 2.9.11. An attacker who is able to submit a crafted file to be processed by an application linked with libxml2 could trigger a use-after-free. The greatest impact from this flaw is to confidentiality, integrity, and availability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A use-after-free vulnerability in libxml2 before 2.9.11 allows attackers to cause confidentiality, integrity, and availability impacts via crafted files.
Vulnerability
A use-after-free flaw exists in libxml2 versions prior to 2.9.11. An attacker who can supply a crafted file to an application linked with libxml2 can trigger this memory corruption issue.
Exploitation
The attacker needs only the ability to submit a crafted file to be processed by a vulnerable application. No authentication or special privileges are required. The crafted file triggers a use-after-free condition during parsing.
Impact
Successful exploitation can lead to disclosure of sensitive information, corruption of data, or denial of service. The description notes the greatest impact is to confidentiality, integrity, and availability.
Mitigation
The vulnerability is fixed in libxml2 version 2.9.11. Users should upgrade to this version or later. No workarounds are mentioned in the available references.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
nokogiriRubyGems | < 1.11.4 | 1.11.4 |
Affected products
46- libxml2/libxml2description
- ghsa-coords45 versionspkg:gem/nokogiripkg:rpm/almalinux/libxml2-develpkg:rpm/opensuse/libxml2&distro=openSUSE%20Leap%2015.2pkg:rpm/opensuse/libxml2&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/python-libxml2-python&distro=openSUSE%20Leap%2015.2pkg:rpm/opensuse/ruby3.2-rubygem-nokogiri&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/rubygem-nokogiri&distro=openSUSE%20Tumbleweedpkg:rpm/suse/libxml2&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/libxml2&distro=SUSE%20Linux%20Enterprise%20Micro%205.0pkg:rpm/suse/libxml2&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP2pkg:rpm/suse/libxml2&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP3pkg:rpm/suse/libxml2&distro=SUSE%20Linux%20Enterprise%20Point%20of%20Sale%2011%20SP3pkg:rpm/suse/libxml2&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4-LTSSpkg:rpm/suse/libxml2&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-BCLpkg:rpm/suse/libxml2&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3-BCLpkg:rpm/suse/libxml2&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3-LTSSpkg:rpm/suse/libxml2&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP4-LTSSpkg:rpm/suse/libxml2&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5pkg:rpm/suse/libxml2&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP3pkg:rpm/suse/libxml2&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP4pkg:rpm/suse/libxml2&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5pkg:rpm/suse/libxml2&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP5pkg:rpm/suse/libxml2&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/libxml2&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/libxml2&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208pkg:rpm/suse/libxml2&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209pkg:rpm/suse/libxml2-python&distro=SUSE%20Linux%20Enterprise%20Point%20of%20Sale%2011%20SP3pkg:rpm/suse/libxml2-python&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4-LTSSpkg:rpm/suse/python-libxml2&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/python-libxml2&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-BCLpkg:rpm/suse/python-libxml2&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3-BCLpkg:rpm/suse/python-libxml2&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3-LTSSpkg:rpm/suse/python-libxml2&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP4-LTSSpkg:rpm/suse/python-libxml2&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5pkg:rpm/suse/python-libxml2&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP3pkg:rpm/suse/python-libxml2&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP4pkg:rpm/suse/python-libxml2&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5pkg:rpm/suse/python-libxml2&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/python-libxml2&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/python-libxml2&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208pkg:rpm/suse/python-libxml2&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209pkg:rpm/suse/python-libxml2-python&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP2pkg:rpm/suse/python-libxml2-python&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP3pkg:rpm/suse/python-libxml2-python&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Python%202%2015%20SP2pkg:rpm/suse/python-libxml2-python&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Python%202%2015%20SP3
< 1.11.4+ 44 more
- (no CPE)range: < 1.11.4
- (no CPE)range: < 2.9.7-9.el8_4.2
- (no CPE)range: < 2.9.7-lp152.10.9.1
- (no CPE)range: < 2.9.12-1.2
- (no CPE)range: < 2.9.7-lp152.10.9.1
- (no CPE)range: < 1.13.9-1.7
- (no CPE)range: < 1.13.3-1.1
- (no CPE)range: < 2.9.4-46.43.1
- (no CPE)range: < 2.9.7-3.31.1
- (no CPE)range: < 2.9.7-3.31.1
- (no CPE)range: < 2.9.7-3.31.1
- (no CPE)range: < 2.7.6-0.77.36.1
- (no CPE)range: < 2.7.6-0.77.36.1
- (no CPE)range: < 2.9.4-46.43.1
- (no CPE)range: < 2.9.4-46.43.1
- (no CPE)range: < 2.9.4-46.43.1
- (no CPE)range: < 2.9.4-46.43.1
- (no CPE)range: < 2.9.4-46.40.1
- (no CPE)range: < 2.9.4-46.43.1
- (no CPE)range: < 2.9.4-46.43.1
- (no CPE)range: < 2.9.4-46.40.1
- (no CPE)range: < 2.9.4-46.40.1
- (no CPE)range: < 2.9.4-46.43.1
- (no CPE)range: < 2.9.4-46.43.1
- (no CPE)range: < 2.9.4-46.43.1
- (no CPE)range: < 2.9.4-46.43.1
- (no CPE)range: < 2.7.6-0.77.36.1
- (no CPE)range: < 2.7.6-0.77.36.1
- (no CPE)range: < 2.9.4-46.43.1
- (no CPE)range: < 2.9.4-46.43.1
- (no CPE)range: < 2.9.4-46.43.1
- (no CPE)range: < 2.9.4-46.43.1
- (no CPE)range: < 2.9.4-46.43.1
- (no CPE)range: < 2.9.4-46.40.1
- (no CPE)range: < 2.9.4-46.43.1
- (no CPE)range: < 2.9.4-46.43.1
- (no CPE)range: < 2.9.4-46.40.1
- (no CPE)range: < 2.9.4-46.43.1
- (no CPE)range: < 2.9.4-46.43.1
- (no CPE)range: < 2.9.4-46.43.1
- (no CPE)range: < 2.9.4-46.43.1
- (no CPE)range: < 2.9.7-3.31.1
- (no CPE)range: < 2.9.7-3.31.1
- (no CPE)range: < 2.9.7-3.31.1
- (no CPE)range: < 2.9.7-3.31.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
29- github.com/advisories/GHSA-v4f8-2847-rwm7ghsaADVISORY
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BZOMV5J4PMZAORVT64BKLV6YIZAFDGX6/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QVM4UJ3376I6ZVOYMHBNX4GY3NIV52WV/mitrevendor-advisoryx_refsource_FEDORA
- nvd.nist.gov/vuln/detail/CVE-2021-3518ghsaADVISORY
- security.gentoo.org/glsa/202107-05ghsavendor-advisoryx_refsource_GENTOOWEB
- seclists.org/fulldisclosure/2021/Jul/54ghsamailing-listx_refsource_FULLDISCWEB
- seclists.org/fulldisclosure/2021/Jul/55ghsamailing-listx_refsource_FULLDISCWEB
- seclists.org/fulldisclosure/2021/Jul/58ghsamailing-listx_refsource_FULLDISCWEB
- seclists.org/fulldisclosure/2021/Jul/59ghsamailing-listx_refsource_FULLDISCWEB
- bugzilla.redhat.com/show_bug.cgighsax_refsource_MISCWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2021-3518.ymlghsaWEB
- github.com/sparklemotion/nokogiri/blob/2edbbef95f1dc12c1ddc5ebda71b9159026245fe/CHANGELOG.mdghsaWEB
- lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b%40%3Cissues.bookkeeper.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b@%3Cissues.bookkeeper.apache.org%3EghsaWEB
- lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4%40%3Cissues.bookkeeper.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4@%3Cissues.bookkeeper.apache.org%3EghsaWEB
- lists.debian.org/debian-lts-announce/2021/05/msg00008.htmlghsamailing-listx_refsource_MLISTWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BZOMV5J4PMZAORVT64BKLV6YIZAFDGX6ghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QVM4UJ3376I6ZVOYMHBNX4GY3NIV52WVghsaWEB
- nokogiri.org/CHANGELOG.htmlghsaWEB
- security.netapp.com/advisory/ntap-20210625-0002ghsaWEB
- security.netapp.com/advisory/ntap-20210625-0002/mitrex_refsource_CONFIRM
- support.apple.com/kb/HT212601ghsax_refsource_CONFIRMWEB
- support.apple.com/kb/HT212602ghsax_refsource_CONFIRMWEB
- support.apple.com/kb/HT212604ghsax_refsource_CONFIRMWEB
- support.apple.com/kb/HT212605ghsax_refsource_CONFIRMWEB
- www.oracle.com/security-alerts/cpuapr2022.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpujul2022.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpuoct2021.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.