CVE-2021-3537: 
Ruby vulnerability analysis and mitigation

A vulnerability was discovered in libxml2 versions before 2.9.11 that did not properly propagate errors while parsing XML mixed content, resulting in a NULL pointer dereference. The vulnerability was assigned CVE-2021-3537 and was disclosed in May 2021. This flaw affects libxml2, a library providing support to read, modify and write XML and HTML files (NVD, CVE).

The vulnerability occurs when parsing XML mixed content, where errors are not properly propagated during the parsing process. This leads to invalid data structures being created, which can result in NULL pointer dereferences when post-validating documents that were parsed in recovery mode. The issue specifically manifests when both recovery mode parsing and post-validation are used together (Bugzilla). The vulnerability has been assigned a CVSS v3.1 base score of 5.9 (Medium) with vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H (Ubuntu).

If successfully exploited, this vulnerability could allow an attacker to crash applications that use libxml2 when processing untrusted XML documents in recovery mode with post-validation enabled. The primary impact is on system availability, with no direct impact on confidentiality or integrity (NVD, Debian).

The vulnerability was fixed in libxml2 version 2.9.11. Users are advised to upgrade to this version or later. The fix was also backported to various distribution-specific versions. For example, Ubuntu provided fixes for multiple releases including 20.04 LTS (version 2.9.10+dfsg-5ubuntu0.20.04.1) and 18.04 LTS (version 2.9.4+dfsg1-6.1ubuntu1.4) (Ubuntu, Debian).