CVE-2016-4658: Buffer Overflow

Published Sep 25, 2016
·
Updated

The libxml2 library, as used in multiple products, could allow a remote attacker to execute arbitrary code on the system, caused by a memory corruption error. An attacker could exploit this vulnerability using a specially crafted XML document to execute arbitrary code on the system or cause a denial of service.

Other sources

xpointer.c in libxml2 before 2.9.5 (as used in Apple iOS before 10, OS X before 10.12, tvOS before 10, and watchOS before 3, and other products) does not forbid namespace nodes in XPointer ranges, which allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free and memory corruption) via a crafted XML document.

Affected Software

13 affected components
Google Android
Apple iPhone OS<10.0
Apple iOS and macOS<10.12
Apple tvOS<10.0
Apple WatchOS<3.0
Xmlsoft Libxml2<2.9.5
IBM Security Guardium<=10.5
IBM Security Guardium<=10.6
IBM Security Guardium<=11.0
IBM Security Guardium<=11.1
IBM Security Guardium<=11.2
IBM Security Guardium<=11.3
IBM Security Guardium<=11.4

Remediation

Patch Available

https://git.gnome.org/browse/libxml2/commit/?id=c1d1f7121194036608bf555f08d3062a36fd344b

Event History

Sep 25, 2016
CVE Published
via MITRE·10:00 AM
Data Sourced
via MITRE·10:00 AM
Description
Jun 5, 2017
Data Sourced
via Android·12:00 AM
SeverityWeaknessAffected Software

Parent advisories

This vulnerability appears in the following advisories.

Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is CVE-2016-4658?

CVE-2016-4658 is a vulnerability in the libxml2 library that allows a remote attacker to execute arbitrary code or cause a denial of service.

2

Which products are affected by CVE-2016-4658?

CVE-2016-4658 affects Google Android, Apple iPhone OS (up to version 10.0), Apple Mac OS X (up to version 10.12), Apple tvOS (up to version 10.0), Apple watchOS (up to version 3.0), Xmlsoft Libxml2 (up to version 2.9.5), and IBM Security Guardium (up to version 11.4).

3

What is the severity of CVE-2016-4658?

CVE-2016-4658 has a severity rating of 9.8 (Critical).

4

How can CVE-2016-4658 be fixed?

To fix CVE-2016-4658, users should update to a version of the affected software that includes the necessary patches or security updates.

5

Where can I find more information about CVE-2016-4658?

You can find more information about CVE-2016-4658 on the IBM X-Force Exchange website and the IBM Support website, as well as on the official Android source code repository.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203