CVE-2022-2309

Name: CVE-2022-2309
Creator: NVD / NIST
Published: 2022-07-05T10:15:08.763+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

HIGHCVSS 7.5/10EPSS 1.97%

Last modified Jun 17, 2026

CVE-2022-2309 is a high-severity vulnerability rated 7.5/10 on the CVSS scale. NULL Pointer Dereference allows attackers to cause a denial of service (or application crash). This only applies when lxml is used together with libxml2 2.9.10 through 2.9.14. EPSS estimates a 1.97% chance of exploitation in the next 30 days.

Description

NULL Pointer Dereference allows attackers to cause a denial of service (or application crash). This only applies when lxml is used together with libxml2 2.9.10 through 2.9.14. libxml2 2.9.9 and earlier are not affected. It allows triggering crashes through forged input data, given a vulnerable code sequence in the application. The vulnerability is caused by the iterwalk function (also used by the canonicalize function). Such code shouldn't be in wide-spread use, given that parsing + iterwalk would usually be replaced with the more efficient iterparse function. However, an XML converter that serialises to C14N would also be vulnerable, for example, and there are legitimate use cases for this code sequence. If untrusted input is received (also remotely) and processed via iterwalk function, a crash can be triggered.

Metrics

CVSS 3.1

7.5/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Probability

1.97%

77.9th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-476

Affected Software

Vendor	Product	Versions
Lxml	Lxml	< 4.9.1
Fedoraproject	Fedora	36
Fedoraproject	Fedora	37

References

https://github.com/lxml/lxml/commit/86368e9cf70a0ad23cccd5ee32de847149af0c6fPatch, Third Party Advisory
https://huntr.dev/bounties/8264e74f-edda-4c40-9956-49de635105baExploit, Issue Tracking, Patch, Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HGYC6L7ENH5VEGN3YWFBYMGKX6WNS7HZ/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/URHHSIBTPTALXMECRLAC2EVDNAFSR5NO/
https://security.gentoo.org/glsa/202208-06Third Party Advisory
https://security.netapp.com/advisory/ntap-20220915-0006/Third Party Advisory
https://github.com/lxml/lxml/commit/86368e9cf70a0ad23cccd5ee32de847149af0c6fPatch, Third Party Advisory
https://huntr.dev/bounties/8264e74f-edda-4c40-9956-49de635105baExploit, Issue Tracking, Patch, Third Party Advisory
https://lists.debian.org/debian-lts-announce/2024/09/msg00021.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HGYC6L7ENH5VEGN3YWFBYMGKX6WNS7HZ/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/URHHSIBTPTALXMECRLAC2EVDNAFSR5NO/
https://security.gentoo.org/glsa/202208-06Third Party Advisory
https://security.netapp.com/advisory/ntap-20220915-0006/Third Party Advisory

Timeline

Published: Jul 5, 2022
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2022-2309?

How severe is CVE-2022-2309?

CVE-2022-2309 has a CVSS score of 7.5/10 (HIGH severity). The EPSS model estimates a 1.97% probability of exploitation in the next 30 days.

How do I fix CVE-2022-2309?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2022-2309?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST