CVE-2022-49043

CVE-2022-49043 is a use-after-free vulnerability in the xmlXIncludeAddNode function within xinclude.c of libxml2 versions prior to 2.11.0. Libxml2 is a widely used XML processing library in various software ecosystems, including applications that parse XML with XInclude support. The flaw, classified under CWE-416, carries a CVSS v3.1 base score of 8.1 (AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H), indicating high severity due to its potential for significant impact despite requiring local access.

An unprivileged local attacker could exploit this vulnerability by triggering the use-after-free during XML processing with XInclude enabled. The attack requires high complexity, such as crafting specific malformed XML input that manipulates memory in xmlXIncludeAddNode, but demands no user interaction. Successful exploitation could result in high confidentiality, integrity, and availability impacts, potentially allowing arbitrary code execution, data corruption, or denial of service within the context of the affected process, with scope expanded due to the scope-changed metric.

Mitigation involves updating to libxml2 version 2.11.0 or later, as evidenced by the upstream patch commit at https://gitlab.gnome.org/GNOME/libxml2/-/commit/5a19e21605398cef6a8b1452477a8705cb41562b. Debian LTS users should refer to the announcement at https://lists.debian.org/debian-lts-announce/2025/02/msg00028.html for backported fixes in supported releases. Additionally, PHP integrators should review https://github.com/php/php-src/issues/17467 for related discussions on libxml2 dependency handling.