CVE-2008-3281

Name: CVE-2008-3281
Creator: NVD / NIST
Published: 2008-08-27T20:41:00+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

MEDIUMCVSS 6.5/10EPSS 2.51%

Last modified Jun 16, 2026

CVE-2008-3281 is a medium-severity vulnerability rated 6.5/10 on the CVSS scale. libxml2 2.6.32 and earlier does not properly detect recursion during entity expansion in an attribute value, which allows context-dependent attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document.. EPSS estimates a 2.51% chance of exploitation in the next 30 days.

Description

libxml2 2.6.32 and earlier does not properly detect recursion during entity expansion in an attribute value, which allows context-dependent attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document.

Metrics

CVSS 3.1

6.5/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

EPSS Probability

2.51%

82.7th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-776

Affected Software

Vendor	Product	Versions
Xmlsoft	Libxml2	<= 2.6.32
Apple	Safari	< 4.0
Apple	Iphone Os	>= 1.0.0, < 3.0
Fedoraproject	Fedora	9
Canonical	Ubuntu Linux	6.06
Canonical	Ubuntu Linux	7.04
Canonical	Ubuntu Linux	7.10
Canonical	Ubuntu Linux	8.04
Debian	Debian Linux	4.0
Redhat	Enterprise Linux Desktop	3.0
Redhat	Enterprise Linux Desktop	4.0
Redhat	Enterprise Linux Desktop	5.0
Redhat	Enterprise Linux Eus	4.7
Redhat	Enterprise Linux Eus	5.2
Redhat	Enterprise Linux Server	2.0
Redhat	Enterprise Linux Server	3.0
Redhat	Enterprise Linux Server	4.0
Redhat	Enterprise Linux Server	5.0
Redhat	Enterprise Linux Workstation	2.0
Redhat	Enterprise Linux Workstation	3.0
Redhat	Enterprise Linux Workstation	4.0
Redhat	Enterprise Linux Workstation	5.0
Vmware	Esx	2.5.4
Vmware	Esx	2.5.5
Vmware	Esx	3.0.2
Vmware	Esx	3.0.3

References

http://lists.apple.com/archives/security-announce/2009/Jun/msg00005.htmlMailing List
http://lists.apple.com/archives/security-announce/2009/jun/msg00002.htmlBroken Link, Mailing List
http://lists.opensuse.org/opensuse-security-announce/2008-09/msg00004.htmlMailing List
http://lists.vmware.com/pipermail/security-announce/2008/000039.htmlBroken Link
http://mail.gnome.org/archives/xml/2008-August/msg00034.htmlMailing List, Patch
http://secunia.com/advisories/31558Broken Link
http://secunia.com/advisories/31566Broken Link
http://secunia.com/advisories/31590Broken Link
http://secunia.com/advisories/31728Broken Link
http://secunia.com/advisories/31748Broken Link
http://secunia.com/advisories/31855Broken Link
http://secunia.com/advisories/31982Broken Link
http://secunia.com/advisories/32488Broken Link
http://secunia.com/advisories/32807Broken Link
http://secunia.com/advisories/32974Broken Link
http://secunia.com/advisories/35379Broken Link
http://security.gentoo.org/glsa/glsa-200812-06.xmlThird Party Advisory
http://support.apple.com/kb/HT3613Third Party Advisory
http://support.apple.com/kb/HT3639Third Party Advisory
http://svn.gnome.org/viewvc/libxml2?view=revision&revision=3772Broken Link
http://wiki.rpath.com/Advisories:rPSA-2008-0325Broken Link
http://www.debian.org/security/2008/dsa-1631Mailing List, Third Party Advisory
http://www.mandriva.com/security/advisories?name=MDVSA-2008:180Broken Link
http://www.mandriva.com/security/advisories?name=MDVSA-2008:192Broken Link
http://www.securityfocus.com/archive/1/497962/100/0/threadedBroken Link, Third Party Advisory, VDB Entry
http://www.securityfocus.com/bid/30783Broken Link, Patch, Third Party Advisory, VDB Entry
http://www.securitytracker.com/id?1020728Broken Link, Third Party Advisory, VDB Entry
http://www.ubuntu.com/usn/usn-640-1Third Party Advisory
http://www.vmware.com/security/advisories/VMSA-2008-0017.htmlThird Party Advisory
http://www.vupen.com/english/advisories/2008/2419Broken Link
http://www.vupen.com/english/advisories/2008/2843Broken Link
http://www.vupen.com/english/advisories/2008/2971Broken Link
http://www.vupen.com/english/advisories/2009/1522Broken Link
http://www.vupen.com/english/advisories/2009/1621Broken Link
http://xmlsoft.org/news.htmlRelease Notes
https://bugzilla.redhat.com/show_bug.cgi?id=458086Issue Tracking
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6496Broken Link
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9812Broken Link
https://rhn.redhat.com/errata/RHSA-2008-0836.htmlThird Party Advisory
https://usn.ubuntu.com/644-1/Broken Link
https://www.redhat.com/archives/fedora-package-announce/2008-September/msg00261.htmlMailing List
https://www.redhat.com/archives/fedora-package-announce/2008-September/msg00347.htmlMailing List
http://lists.apple.com/archives/security-announce/2009/Jun/msg00005.htmlMailing List
http://lists.apple.com/archives/security-announce/2009/jun/msg00002.htmlBroken Link, Mailing List
http://lists.opensuse.org/opensuse-security-announce/2008-09/msg00004.htmlMailing List
http://lists.vmware.com/pipermail/security-announce/2008/000039.htmlBroken Link
http://mail.gnome.org/archives/xml/2008-August/msg00034.htmlMailing List, Patch
http://secunia.com/advisories/31558Broken Link
http://secunia.com/advisories/31566Broken Link
http://secunia.com/advisories/31590Broken Link
http://secunia.com/advisories/31728Broken Link
http://secunia.com/advisories/31748Broken Link
http://secunia.com/advisories/31855Broken Link
http://secunia.com/advisories/31982Broken Link
http://secunia.com/advisories/32488Broken Link
http://secunia.com/advisories/32807Broken Link
http://secunia.com/advisories/32974Broken Link
http://secunia.com/advisories/35379Broken Link
http://security.gentoo.org/glsa/glsa-200812-06.xmlThird Party Advisory
http://support.apple.com/kb/HT3613Third Party Advisory
http://support.apple.com/kb/HT3639Third Party Advisory
http://svn.gnome.org/viewvc/libxml2?view=revision&revision=3772Broken Link
http://wiki.rpath.com/Advisories:rPSA-2008-0325Broken Link
http://www.debian.org/security/2008/dsa-1631Mailing List, Third Party Advisory
http://www.mandriva.com/security/advisories?name=MDVSA-2008:180Broken Link
http://www.mandriva.com/security/advisories?name=MDVSA-2008:192Broken Link
http://www.securityfocus.com/archive/1/497962/100/0/threadedBroken Link, Third Party Advisory, VDB Entry
http://www.securityfocus.com/bid/30783Broken Link, Patch, Third Party Advisory, VDB Entry
http://www.securitytracker.com/id?1020728Broken Link, Third Party Advisory, VDB Entry
http://www.ubuntu.com/usn/usn-640-1Third Party Advisory
http://www.vmware.com/security/advisories/VMSA-2008-0017.htmlThird Party Advisory
http://www.vupen.com/english/advisories/2008/2419Broken Link
http://www.vupen.com/english/advisories/2008/2843Broken Link
http://www.vupen.com/english/advisories/2008/2971Broken Link
http://www.vupen.com/english/advisories/2009/1522Broken Link
http://www.vupen.com/english/advisories/2009/1621Broken Link
http://xmlsoft.org/news.htmlRelease Notes
https://bugzilla.redhat.com/show_bug.cgi?id=458086Issue Tracking
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6496Broken Link
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9812Broken Link
https://rhn.redhat.com/errata/RHSA-2008-0836.htmlThird Party Advisory
https://usn.ubuntu.com/644-1/Broken Link
https://www.redhat.com/archives/fedora-package-announce/2008-September/msg00261.htmlMailing List
https://www.redhat.com/archives/fedora-package-announce/2008-September/msg00347.htmlMailing List

Timeline

Published: Aug 27, 2008
Last Modified: Jun 16, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2008-3281?

How severe is CVE-2008-3281?

CVE-2008-3281 has a CVSS score of 6.5/10 (MEDIUM severity). The EPSS model estimates a 2.51% probability of exploitation in the next 30 days.

How do I fix CVE-2008-3281?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2008-3281?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST