CVE-2021-3537
Description
A vulnerability found in libxml2 in versions before 2.9.11 shows that it did not propagate errors while parsing XML mixed content, causing a NULL dereference. If an untrusted XML document was parsed in recovery mode and post-validated, the flaw could be used to crash the application. The highest threat from this vulnerability is to system availability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
libxml2 before 2.9.11 fails to propagate errors when parsing mixed XML content in recovery mode, leading to a NULL dereference that can crash the application.
Vulnerability
A vulnerability exists in libxml2 versions prior to 2.9.11 where the parser does not propagate errors while parsing XML mixed content. When an untrusted XML document is parsed in recovery mode and then post-validated, this flaw can trigger a NULL pointer dereference, causing the application to crash [3][1].
Exploitation
An attacker must provide a crafted XML document that triggers the mixed content parsing code path while the parser is in recovery mode. The application must also perform post-validation on the parsed document. No authentication or user interaction beyond delivering the malformed document is required; the exploit is remote and relies on the application processing the malicious input [3].
Impact
Successful exploitation results in a denial of service (DoS) due to application crash from the NULL pointer dereference. The highest threat is to system availability; there is no indication of information disclosure or remote code execution [3].
Mitigation
The flaw is fixed in libxml2 version 2.9.11. Users should update to this or a later version. No workarounds are documented. For projects that bundle libxml2, such as Nokogiri, upgrading to a version that includes the fix (e.g., Nokogiri v1.11.4) addresses the issue [1][3].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
nokogiriRubyGems | < 1.11.4 | 1.11.4 |
Affected products
46- libxml2/libxml2description
- ghsa-coords45 versionspkg:gem/nokogiripkg:rpm/almalinux/libxml2-develpkg:rpm/opensuse/libxml2&distro=openSUSE%20Leap%2015.2pkg:rpm/opensuse/libxml2&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/python-libxml2-python&distro=openSUSE%20Leap%2015.2pkg:rpm/opensuse/ruby3.2-rubygem-nokogiri&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/rubygem-nokogiri&distro=openSUSE%20Tumbleweedpkg:rpm/suse/libxml2&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/libxml2&distro=SUSE%20Linux%20Enterprise%20Micro%205.0pkg:rpm/suse/libxml2&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP2pkg:rpm/suse/libxml2&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP3pkg:rpm/suse/libxml2&distro=SUSE%20Linux%20Enterprise%20Point%20of%20Sale%2011%20SP3pkg:rpm/suse/libxml2&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4-LTSSpkg:rpm/suse/libxml2&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-BCLpkg:rpm/suse/libxml2&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3-BCLpkg:rpm/suse/libxml2&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3-LTSSpkg:rpm/suse/libxml2&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP4-LTSSpkg:rpm/suse/libxml2&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5pkg:rpm/suse/libxml2&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP3pkg:rpm/suse/libxml2&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP4pkg:rpm/suse/libxml2&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5pkg:rpm/suse/libxml2&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP5pkg:rpm/suse/libxml2&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/libxml2&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/libxml2&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208pkg:rpm/suse/libxml2&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209pkg:rpm/suse/libxml2-python&distro=SUSE%20Linux%20Enterprise%20Point%20of%20Sale%2011%20SP3pkg:rpm/suse/libxml2-python&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4-LTSSpkg:rpm/suse/python-libxml2&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/python-libxml2&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-BCLpkg:rpm/suse/python-libxml2&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3-BCLpkg:rpm/suse/python-libxml2&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3-LTSSpkg:rpm/suse/python-libxml2&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP4-LTSSpkg:rpm/suse/python-libxml2&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5pkg:rpm/suse/python-libxml2&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP3pkg:rpm/suse/python-libxml2&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP4pkg:rpm/suse/python-libxml2&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5pkg:rpm/suse/python-libxml2&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/python-libxml2&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/python-libxml2&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208pkg:rpm/suse/python-libxml2&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209pkg:rpm/suse/python-libxml2-python&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP2pkg:rpm/suse/python-libxml2-python&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP3pkg:rpm/suse/python-libxml2-python&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Python%202%2015%20SP2pkg:rpm/suse/python-libxml2-python&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Python%202%2015%20SP3
< 1.11.4+ 44 more
- (no CPE)range: < 1.11.4
- (no CPE)range: < 2.9.7-9.el8_4.2
- (no CPE)range: < 2.9.7-lp152.10.12.1
- (no CPE)range: < 2.9.12-1.2
- (no CPE)range: < 2.9.7-lp152.10.12.1
- (no CPE)range: < 1.13.9-1.7
- (no CPE)range: < 1.13.3-1.1
- (no CPE)range: < 2.9.4-46.43.1
- (no CPE)range: < 2.9.7-3.34.1
- (no CPE)range: < 2.9.7-3.34.1
- (no CPE)range: < 2.9.7-3.34.1
- (no CPE)range: < 2.7.6-0.77.36.1
- (no CPE)range: < 2.7.6-0.77.36.1
- (no CPE)range: < 2.9.4-46.43.1
- (no CPE)range: < 2.9.4-46.43.1
- (no CPE)range: < 2.9.4-46.43.1
- (no CPE)range: < 2.9.4-46.43.1
- (no CPE)range: < 2.9.4-46.43.1
- (no CPE)range: < 2.9.4-46.43.1
- (no CPE)range: < 2.9.4-46.43.1
- (no CPE)range: < 2.9.4-46.43.1
- (no CPE)range: < 2.9.4-46.43.1
- (no CPE)range: < 2.9.4-46.43.1
- (no CPE)range: < 2.9.4-46.43.1
- (no CPE)range: < 2.9.4-46.43.1
- (no CPE)range: < 2.9.4-46.43.1
- (no CPE)range: < 2.7.6-0.77.36.1
- (no CPE)range: < 2.7.6-0.77.36.1
- (no CPE)range: < 2.9.4-46.43.1
- (no CPE)range: < 2.9.4-46.43.1
- (no CPE)range: < 2.9.4-46.43.1
- (no CPE)range: < 2.9.4-46.43.1
- (no CPE)range: < 2.9.4-46.43.1
- (no CPE)range: < 2.9.4-46.43.1
- (no CPE)range: < 2.9.4-46.43.1
- (no CPE)range: < 2.9.4-46.43.1
- (no CPE)range: < 2.9.4-46.43.1
- (no CPE)range: < 2.9.4-46.43.1
- (no CPE)range: < 2.9.4-46.43.1
- (no CPE)range: < 2.9.4-46.43.1
- (no CPE)range: < 2.9.4-46.43.1
- (no CPE)range: < 2.9.7-3.34.1
- (no CPE)range: < 2.9.7-3.34.1
- (no CPE)range: < 2.9.7-3.34.1
- (no CPE)range: < 2.9.7-3.34.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
17- github.com/advisories/GHSA-286v-pcf5-25rcghsaADVISORY
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BZOMV5J4PMZAORVT64BKLV6YIZAFDGX6/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QVM4UJ3376I6ZVOYMHBNX4GY3NIV52WV/mitrevendor-advisoryx_refsource_FEDORA
- nvd.nist.gov/vuln/detail/CVE-2021-3537ghsaADVISORY
- security.gentoo.org/glsa/202107-05ghsavendor-advisoryx_refsource_GENTOOWEB
- bugzilla.redhat.com/show_bug.cgighsax_refsource_MISCWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2021-3537.ymlghsaWEB
- github.com/sparklemotion/nokogiri/blob/2edbbef95f1dc12c1ddc5ebda71b9159026245fe/CHANGELOG.mdghsaWEB
- lists.debian.org/debian-lts-announce/2021/05/msg00008.htmlghsamailing-listx_refsource_MLISTWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BZOMV5J4PMZAORVT64BKLV6YIZAFDGX6ghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QVM4UJ3376I6ZVOYMHBNX4GY3NIV52WVghsaWEB
- nokogiri.org/CHANGELOG.htmlghsaWEB
- security.netapp.com/advisory/ntap-20210625-0002ghsaWEB
- security.netapp.com/advisory/ntap-20210625-0002/mitrex_refsource_CONFIRM
- www.oracle.com/security-alerts/cpuapr2022.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpujul2022.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpuoct2021.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.