VIR Vulnerability Intelligence Relay

CVE-2018-9251

medium
Published — · Modified —
CVSS v3
CVSS v2
VIR risk
5.5

Description

The xz_decomp function in xzlib.c in libxml2 2.9.8, if --with-lzma is used, allows remote attackers to cause a denial of service (infinite loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint, a different vulnerability than CVE-2015-8035.

Predictions

Exploit likelihood
20%
Patch ETA

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2018-9251

vendor Authored 2026-05-27

Vendor advisory: suse — https://www.suse.com/security/cve/CVE-2018-9251.html

vendor Authored 2026-05-27

Vendor advisory: arch — https://security.archlinux.org/ASA-201810-3

vendor Authored 2026-05-27

Vendor advisory: arch — https://security.archlinux.org/ASA-201810-4

OS impact
OSVersionStatusFixed in
arch archfixed2.9.8-4
suse slesaffected
debian debianbookwormfixed0
debian debianbullseyefixed0
debian debianforkyfixed0
debian debiansidfixed0
debian debiantrixiefixed0

References

Verify integrity in audit chain (admin only). AS-IS.