CVE-2017-8872

Advisory lineage Upstream: 0 Downstream: 6

Downstream

DEBIAN-CVE-2017-8872 DLA-2369-1 SUSE-SU-2017:2115-1 SUSE-SU-2017:2141-1 UBUNTU-CVE-2017-8872 USN-4991-1

Modified

Published: 10 May 2017, 05:14

Last modified:17 Dec 2025, 21:59

Vulnerability Summary

Overall Risk (default)

high

70/100

CVSS Score

9.1 CRITICAL

v3.1 (cve.org)

EPSS Score

0.23% LOW

0% probability +0.06%

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

10 May 2017, 05:14

Published

Vulnerability first disclosed

17 Dec 2025, 21:59

Last Modified

Vulnerability information updated

Description

The htmlParseTryOrFinish function in HTMLparser.c in libxml2 2.9.4 allows attackers to cause a denial of service (buffer over-read) or information disclosure.

CVSS Metrics

v3.1•CRITICAL•Score: 9.1CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
v3.0•CRITICAL•Score: 9.1CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
v2.0•MEDIUM•Score: 6.4AV:N/AC:L/Au:N/C:P/I:N/A:P

EPSS Trends

Current EPSS score: 0.23%• Percentile: 46%

Techniques & Countermeasures

CWE-125•Out-of-bounds Read
The product reads data past the end, or before the beginning, of the intended buffer.

Affected Systems

xmlsoft•libxml2
2.9.4