libxml2 Namespace Use-After-Free Vulnerability in xmlSetTreeDoc Function

A use-after-free vulnerability has been identified in the libxml2 XML parsing library, specifically in the xmlSetTreeDoc function. This issue arises when XML nodes with namespaces are transferred between documents, as the function improperly manages namespace references. Consequently, a namespace pointer may remain attached to a deallocated memory area after the original document is destroyed. This oversight can lead to a use-after-free condition, causing a crash in applications that utilize libxml2 for XML processing. The vulnerability can be exploited by sending crafted XML documents to applications that rely on libxml2, potentially leading to a denial-of-service condition.

Impact

Exploitation of this vulnerability causes applications or services that use libxml2 to crash, disrupting normal operations.

Reproduction

The vulnerability can be reproduced by moving XML nodes with namespaces between documents using the xmlAddChild or xmlReplaceNode functions. This process will create a namespace reference that points to a memory location in the original document. Once the source document is freed, any operation that accesses the namespace, such as serialization with xmlDocDumpMemory, will trigger the use-after-free condition, resulting in a crash.