CVE-2024-55549
Published: 14 March 2025
Description
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Security Summary
CVE-2024-55549 is a use-after-free vulnerability in the xsltGetInheritedNsList function within libxslt versions prior to 1.1.43. The issue arises due to improper handling related to the exclusion of result prefixes during XSLT processing, potentially leading to memory corruption when freeing and subsequently accessing deallocated memory.
The vulnerability has a CVSS v3.1 base score of 7.8 (AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:H), indicating it requires local access with high attack complexity but no privileges or user interaction. A local attacker could exploit this to achieve high integrity and availability impacts, such as arbitrary code execution or denial of service, with a changed scope affecting the system's security.
Mitigation details are available in advisories from the GNOME libxslt issue tracker at https://gitlab.gnome.org/GNOME/libxslt/-/issues/127 and the Debian LTS announcement at https://lists.debian.org/debian-lts-announce/2025/03/msg00015.html, which likely include patches upgrading to libxslt 1.1.43 or later.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Use-after-free in libxslt enables local arbitrary code execution (with scope change) for privilege escalation; also supports DoS but primary mapping is T1068.