CVE-2022-2309: NULL Pointer Dereference in lxml/lxml

Published Jul 5, 2022
·
Updated

NULL Pointer Dereference allows attackers to cause a denial of service (or application crash). This only applies when lxml is used together with libxml2 2.9.10 through 2.9.14. libxml2 2.9.9 and earlier are not affected. It allows triggering crashes through forged input data, given a vulnerable code sequence in the application. The vulnerability is caused by the iterwalk function (also used by the canonicalize function). Such code shouldn't be in wide-spread use, given that parsing + iterwalk would usually be replaced with the more efficient iterparse function. However, an XML converter that serialises to C14N would also be vulnerable, for example, and there are legitimate use cases for this code sequence. If untrusted input is received (also remotely) and processed via iterwalk function, a crash can be triggered.

Affected Software

7 affected componentsFixes available
pip/lxml<4.9.1
4.9.1
All of the following
XMLSoft Libxml2>=2.9.10<=2.9.14
lxml lxml<4.9.1
Fedoraproject Fedora=36
Fedoraproject Fedora=37
lxml lxml<4.9.1
XMLSoft Libxml2>=2.9.10<=2.9.14

Remediation

Patch Available

https://github.com/lxml/lxml/commit/86368e9cf70a0ad23cccd5ee32de847149af0c6f

Patch Available

https://huntr.dev/bounties/8264e74f-edda-4c40-9956-49de635105ba

Event History

Jul 5, 2022
CVE Published
via MITRE·09:00 AM
Data Sourced
via MITRE·09:00 AM
DescriptionSeverityWeakness
Data Sourced
via NVD·10:15 AM
RemedyDescriptionSeverityWeaknessAffected Software
Jul 6, 2022
Advisory Published
via GitHub·12:00 AM
Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is CVE-2022-2309?

CVE-2022-2309 is a vulnerability that allows attackers to cause a denial of service or application crash in lxml when used with libxml2 2.9.10 through 2.9.14.

2

What is the severity of CVE-2022-2309?

The severity of CVE-2022-2309 is medium with a CVSS score of 5.3.

3

Which software versions are affected by CVE-2022-2309?

CVE-2022-2309 affects lxml when used with libxml2 2.9.10 through 2.9.14. libxml2 2.9.9 and earlier versions are not affected.

4

How can an attacker exploit CVE-2022-2309?

An attacker can exploit CVE-2022-2309 by triggering crashes through forged input data when vulnerable code is executed.

5

How can I fix CVE-2022-2309?

To fix CVE-2022-2309, update lxml to version 4.9.1 using pip.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203