libxml2 Stack Overflow Vulnerability Due to Uncontrolled Recursion in XPath Evaluation

A stack overflow vulnerability has been identified in libxml2 versions prior to and including 2.9.14. This issue arises from uncontrolled recursion in XPath evaluation, allowing local attackers to cause a stack overflow by exploiting crafted expressions. The vulnerability is rooted in the XPath processing functions 'xmlXPathRunEval', 'xmlXPathCtxtCompile', and 'xmlXPathEvalExpr', which improperly reset the recursion depth to zero before executing potentially recursive calls. As a result, these functions could be called recursively without control, leading to a stack overflow.

Impact

Exploitation of this vulnerability causes a stack overflow, which can lead to a denial-of-service condition by causing the application to crash or become unresponsive.

Reproduction

The vulnerability can be reproduced by using an EXSLT function that invokes 'xmlXPathRunEval' recursively, such as 'dyn:map' or 'dyn:evaluate'. This will trigger the uncontrolled recursion by resetting the depth to zero, allowing the stack overflow to occur.

Remediation

Users can upgrade to libxml2 versions after 2.9.14 to address this vulnerability.