VIR Vulnerability Intelligence Relay

CVE-2014-3660

medium
Published 2014-11-04 ยท Modified 2026-05-06
๐Ÿ’ฌ Discuss on Community โœš Propose mitigation
CVSS v3
โ€”
CVSS v4 NEW
โ€”
not yet in upstream
VIR risk
5.0

Description

parser.c in libxml2 before 2.9.2 does not properly prevent entity expansion even when entity substitution has been disabled, which allows context-dependent attackers to cause a denial of service (CPU consumption) via a crafted XML document containing a large number of nested entity references, a variant of the "billion laughs" attack.

Predictions

Exploit likelihood
20%
Patch ETA
โ€”

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No mitigations published for this CVE yet.

The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ€” if you've already worked around this in production โ€” publish your fix to the community-verified tier.

โœš Propose a mitigation on Community โ†’ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here with source_tier=community-verified.

OS impact
OSVersionStatusFixed in
suse slesaffected
debian debianbookwormfixed2.9.2+dfsg1-1
debian debianbullseyefixed2.9.2+dfsg1-1
debian debianforkyfixed2.9.2+dfsg1-1
debian debiansidfixed2.9.2+dfsg1-1
debian debiantrixiefixed2.9.2+dfsg1-1
debian debian7.0affected
macos macosaffected
ubuntu ubuntu10.04affected
ubuntu ubuntu12.04affected
ubuntu ubuntu14.04affected
redhat rhel5.0affected

Application impact
VendorProductVersionsFixed
xmlsoftlibxml2{"endIncluding":"2.9.1"}
xmlsoftlibxml22.0.0
xmlsoftlibxml22.1.0
xmlsoftlibxml22.1.1
xmlsoftlibxml22.2.0
xmlsoftlibxml22.2.1
xmlsoftlibxml22.2.2
xmlsoftlibxml22.2.3
xmlsoftlibxml22.2.4
xmlsoftlibxml22.2.5
xmlsoftlibxml22.2.6
xmlsoftlibxml22.2.7
xmlsoftlibxml22.2.8
xmlsoftlibxml22.2.9
xmlsoftlibxml22.2.10
xmlsoftlibxml22.2.11
xmlsoftlibxml22.3.0
xmlsoftlibxml22.3.1
xmlsoftlibxml22.3.2
xmlsoftlibxml22.3.3
xmlsoftlibxml22.3.4
xmlsoftlibxml22.3.5
xmlsoftlibxml22.3.6
xmlsoftlibxml22.3.7
xmlsoftlibxml22.3.8
xmlsoftlibxml22.3.9
xmlsoftlibxml22.3.10
xmlsoftlibxml22.3.11
xmlsoftlibxml22.3.12
xmlsoftlibxml22.3.13
xmlsoftlibxml22.3.14
xmlsoftlibxml22.4.1
xmlsoftlibxml22.4.2
xmlsoftlibxml22.4.3
xmlsoftlibxml22.4.4
xmlsoftlibxml22.4.5
xmlsoftlibxml22.4.6
xmlsoftlibxml22.4.7
xmlsoftlibxml22.4.8
xmlsoftlibxml22.4.9
xmlsoftlibxml22.4.10
xmlsoftlibxml22.4.11
xmlsoftlibxml22.4.12
xmlsoftlibxml22.4.13
xmlsoftlibxml22.4.14
xmlsoftlibxml22.4.15
xmlsoftlibxml22.4.16
xmlsoftlibxml22.4.17
xmlsoftlibxml22.4.18
xmlsoftlibxml22.4.19
xmlsoftlibxml22.4.20
xmlsoftlibxml22.4.21
xmlsoftlibxml22.4.22
xmlsoftlibxml22.4.23
xmlsoftlibxml22.4.24
xmlsoftlibxml22.4.25
xmlsoftlibxml22.4.26
xmlsoftlibxml22.4.27
xmlsoftlibxml22.4.28
xmlsoftlibxml22.4.29
xmlsoftlibxml22.4.30
xmlsoftlibxml22.5.0
xmlsoftlibxml22.5.4
xmlsoftlibxml22.5.7
xmlsoftlibxml22.5.8
xmlsoftlibxml22.5.10
xmlsoftlibxml22.5.11
xmlsoftlibxml22.6.0
xmlsoftlibxml22.6.1
xmlsoftlibxml22.6.2
xmlsoftlibxml22.6.3
xmlsoftlibxml22.6.4
xmlsoftlibxml22.6.5
xmlsoftlibxml22.6.6
xmlsoftlibxml22.6.7
xmlsoftlibxml22.6.8
xmlsoftlibxml22.6.9
xmlsoftlibxml22.6.11
xmlsoftlibxml22.6.12
xmlsoftlibxml22.6.13
xmlsoftlibxml22.6.14
xmlsoftlibxml22.6.16
xmlsoftlibxml22.6.17
xmlsoftlibxml22.6.18
xmlsoftlibxml22.6.20
xmlsoftlibxml22.6.21
xmlsoftlibxml22.6.22
xmlsoftlibxml22.6.23
xmlsoftlibxml22.6.24
xmlsoftlibxml22.6.25
xmlsoftlibxml22.6.26
xmlsoftlibxml22.6.27
xmlsoftlibxml22.6.28
xmlsoftlibxml22.6.29
xmlsoftlibxml22.6.30
xmlsoftlibxml22.6.31
xmlsoftlibxml22.6.32
xmlsoftlibxml22.7.0
xmlsoftlibxml22.7.1
xmlsoftlibxml22.7.2
xmlsoftlibxml22.7.3
xmlsoftlibxml22.7.4
xmlsoftlibxml22.7.5
xmlsoftlibxml22.7.6
xmlsoftlibxml22.7.7
xmlsoftlibxml22.7.8
xmlsoftlibxml22.8.0
xmlsoftlibxml22.9.0

References

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.