CVE-2022-49043: 
Rocky Linux vulnerability analysis and mitigation

A use-after-free vulnerability was discovered in libxml2 before version 2.11.0, specifically in the xmlXIncludeAddNode function within xinclude.c. The vulnerability was assigned CVE-2022-49043 and was publicly disclosed in January 2025 (NVD, RedHat).

The vulnerability is classified as a use-after-free (CWE-416) issue in the xmlXIncludeAddNode function. It received a CVSS v3.1 base score of 8.1 (HIGH) with the vector string CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H. The issue was discovered during improvements to memory allocation failure handling in libxml2 (Github Issue).

The vulnerability can lead to crashes, memory leaks, or inconsistent states under extreme system stress. While an attacker cannot directly control allocation failures, they may trigger denial-of-service conditions. The impact is considered moderate because memory allocation failures are not typically controllable by an attacker and do not directly result in privilege escalation or arbitrary code execution (RedHat).

The vulnerability has been fixed in libxml2 version 2.11.0 and the fix has been backported to various Linux distributions. Ubuntu has released fixes for versions 24.04 LTS, 22.04 LTS, and 20.04 LTS (Ubuntu). The fix was implemented through a commit in the libxml2 repository (Libxml2 Commit).