CVE-2024-25062: 
NixOS vulnerability analysis and mitigation

A use-after-free vulnerability was discovered in libxml2 versions before 2.11.7 and 2.12.x before 2.12.5. The vulnerability affects the XML Reader interface when both DTD validation and XInclude expansion are enabled. This security issue was disclosed on February 4, 2024, and has been assigned CVE-2024-25062 (MITRE CVE, NVD).

The vulnerability is classified as a use-after-free (CWE-416) issue that occurs specifically when processing crafted XML documents, leading to an xmlValidatePopElement use-after-free condition. The vulnerability has received a CVSS v3.1 base score of 7.5 (High), with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating network accessibility with low attack complexity and no required privileges or user interaction (NVD).

The vulnerability primarily affects the availability of the system, as indicated by the CVSS scoring which shows high impact on availability but no impact on confidentiality or integrity. The issue can be triggered when processing specially crafted XML documents, potentially leading to service disruptions (NVD).

Fixed versions have been released and are available in libxml2 version 2.11.7 and 2.12.5. Various Linux distributions have also released patched versions, including Ubuntu 23.10, 22.04 LTS, 20.04 LTS, and 18.04 LTS. Ubuntu Pro users on older versions (16.04 LTS and 14.04 LTS) can access fixes through ESM Infra (Ubuntu Security).