CVE-2021-3516: 
Rocky Linux vulnerability analysis and mitigation

A use-after-free vulnerability was discovered in libxml2's xmllint tool in versions before 2.9.11. The vulnerability was assigned CVE-2021-3516 and was disclosed in April 2021. The flaw affects the xmllint utility when processing XML files, specifically when used with the --html and --push options together (Red Hat Bugzilla).

The vulnerability occurs when xmlCtxtUseOptions() is called on a htmlParserCtxtPtr instead of using htmlCtxtUseOptions(). This implementation error can lead to a use-after-free condition when processing specially crafted files. The vulnerability has been assigned a CVSS v3.1 base score of 7.8 (High) with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H (NVD).

The vulnerability can lead to disclosure of sensitive information, addition or modification of data, or Denial of Service (DoS) when an attacker submits a specially crafted file to be processed by xmllint. The greatest impact of this flaw affects confidentiality, integrity, and availability of the system (NetApp Security).

The vulnerability was fixed in libxml2 version 2.9.11. As a temporary workaround, users can mitigate the risk by avoiding the use of xmllint with the --html and --push options together. Multiple vendors have released patches for their affected products, including Red Hat, Debian, Ubuntu, and Oracle (Gentoo Security, NetApp Security).