This repository documents a race condition vulnerability in libxml2 (prior to version 2.12.7) that can lead to information disclosure through unsafe handling of external XML entities.
A race condition exists in libxml2βs readlink() handling when resolving file:// external entities. By rapidly switching a symbolic linkβs target between a decoy and a sensitive file during XML parsing, an attacker can trick libxml2-based tools into unintentionally exposing sensitive data.
xmllintxsltproc- Pythonβs
lxmllibrary (which uses libxml2 under the hood)
Tested and confirmed on:
- Debian-based systems (Debian, Kali Linux)
- libxml2 < 2.12.7
- Information Disclosure: Sensitive files may be read via crafted XML + symlink timing.
- Potential Local Privilege Escalation: If a privileged process parses untrusted XML, this may lead to privilege abuse.
- Vulnerability Type: Race Condition, XXE (XML External Entity)
- Affected Functionality:
readlink()usage in external entity resolution - Attack Vector: Local attacker crafts XML with external entity β links to symlink β rapidly swaps symlink target during parsing.
- β Vulnerability confirmed and reproducible
- β³ CVE ID requested (pending assignment)
- π PoC will be published only after coordination with the GNOME security team and CVE assignment
Guiar Oqba
techokba@gmail.com
This repository will be updated with further technical details, full PoC code, and mitigation suggestions once the CVE process is completed.