Libxml2 Stack-Based Buffer Overflow Vulnerability in DTD Validation

A stack-based buffer overflow vulnerability has been identified in Libxml2 versions prior to 2.12.10 and 2.13.x prior to 2.13.6. The issue arises in the 'xmlSnprintfElements' function within 'valid.c', and can be exploited when DTD validation is performed on an untrusted document or DTD.

Impact

Exploitation of this vulnerability leads to a stack-based buffer overflow, which can commonly result in arbitrary code execution or a denial-of-service condition.

Reproduction

The vulnerability can be reproduced by using a fuzzing tool, such as Honggfuzz, to test Libxml2 with a crafted XML document that includes an untrusted DTD. This can be done by uploading the document through a vector that allows DTD processing, such as certain XML parsers or applications that use Libxml2 for XML handling.

Remediation

Users should upgrade to Libxml2 version 2.12.10 or 2.13.6. NetApp products affected by this vulnerability should also be updated, as per the guidance in the NetApp advisory NTAP-20250321-0006.