CVE-2022-2309: 
Python vulnerability analysis and mitigation

A NULL Pointer Dereference vulnerability (CVE-2022-2309) was discovered in lxml when used together with libxml2 versions 2.9.10 through 2.9.14. The vulnerability was disclosed in July 2022 and affects the iterwalk function (also used by the canonicalize function). This vulnerability only impacts lxml versions prior to 4.9.1, while libxml2 2.9.9 and earlier are not affected (NVD).

The vulnerability is caused by incorrect handling of XML files in the iterwalk function, which is also used by the canonicalize function. The issue occurs when parsing and using iterwalk on trees generated by the same parser. Such code sequence would usually be replaced with the more efficient iterparse function, but there are legitimate use cases where this sequence is necessary, such as XML converters that serialize to C14N (NVD, Gentoo).

When successfully exploited, this vulnerability could lead to a denial of service (DoS) through application crashes. The severity is rated as HIGH with a CVSS v3.1 base score of 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) (NetApp).

The vulnerability has been fixed in lxml version 4.9.1. Users are advised to upgrade to this version or later. For Fedora users, the fix is available through package updates python-lxml-4.9.1-1.fc37 for Fedora 37 and python-lxml-4.7.1-3.fc36 for Fedora 36 (Fedora).