{"id":"CVE-2024-40896","details":"In libxml2 2.11 before 2.11.9, 2.12 before 2.12.9, and 2.13 before 2.13.3, the SAX parser can produce events for external entities even if custom SAX handlers try to override entity content (by setting \"checked\"). This makes classic XXE attacks possible.","modified":"2026-04-12T09:00:31.135340Z","published":"2024-12-23T17:15:08.400Z","related":["CGA-m9jv-h669-37vg","SUSE-SU-2025:20116-1","SUSE-SU-2025:20418-1","USN-7215-1","openSUSE-SU-2024:14241-1","openSUSE-SU-2024:14611-1","openSUSE-SU-2025:0024-1"],"references":[{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20250228-0004/"},{"type":"REPORT","url":"https://gitlab.gnome.org/GNOME/libxml2/-/commit/1a8932303969907f6572b1b6aac4081c56adb5c6"},{"type":"REPORT","url":"https://gitlab.gnome.org/GNOME/libxml2/-/issues/761"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://gitlab.gnome.org/GNOME/libxml2","events":[{"introduced":"f296934ade688baab79caf1c62a82149ad78accf"},{"fixed":"954e851e1d8d1f4c1dfbdf043623b3c11a1c723c"},{"introduced":"5e9b167dce73bd6a804ab107ae4c4b95e6849597"},{"fixed":"00301f0fe8bccdb9945fb684e9bbd72449b961a5"},{"introduced":"cdd2575f7fbab1d8162600f4048bc37503c80e28"},{"fixed":"3b1742b8391e966be780bdc43fdf959f7b3a118c"},{"fixed":"1a8932303969907f6572b1b6aac4081c56adb5c6"}],"database_specific":{"versions":[{"introduced":"2.11.0"},{"fixed":"2.11.9"},{"introduced":"2.12.0"},{"fixed":"2.12.9"},{"introduced":"2.13.0"},{"fixed":"2.13.3"}]}}],"versions":["v2.11.0","v2.11.1","v2.11.2","v2.11.3","v2.11.4","v2.11.5","v2.11.6","v2.11.7","v2.11.8","v2.12.0","v2.12.1","v2.12.2","v2.12.3","v2.12.4","v2.12.5","v2.12.6","v2.12.7","v2.12.8","v2.13.0","v2.13.1","v2.13.2"],"database_specific":{"vanir_signatures":[{"signature_version":"v1","digest":{"length":3301,"function_hash":"82553749786656255912126799861154897360"},"id":"CVE-2024-40896-0c2708a2","target":{"function":"xmlParseReference","file":"parser.c"},"source":"https://gitlab.gnome.org/GNOME/libxml2@1a8932303969907f6572b1b6aac4081c56adb5c6","signature_type":"Function","deprecated":false},{"signature_version":"v1","digest":{"line_hashes":["226593095160989718580933120468166360739","24164626288106891637588310425951675567","136306041615198176511953925556784839741"],"threshold":0.9},"id":"CVE-2024-40896-910a3c8a","target":{"file":"parser.c"},"source":"https://gitlab.gnome.org/GNOME/libxml2@1a8932303969907f6572b1b6aac4081c56adb5c6","signature_type":"Line","deprecated":false}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-40896.json","vanir_signatures_modified":"2026-04-12T09:00:31Z"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H"}]}