CVE-2024-56171
CVE Details
Visit the official vulnerability details page for CVE-2024-56171 to learn more.
Initial Publication
02/21/2025
Last Update
10/22/2025
Third Party Dependency
libxml2
NIST CVE Summary
libxml2 before 2.12.10 and 2.13.x before 2.13.6 has a use-after-free in xmlSchemaIDCFillNodeTables and xmlSchemaBubbleIDCNodeTables in xmlschemas.c. To exploit this, a crafted XML document must be validated against an XML schema with certain identity constraints, or a crafted XML schema must be used.
CVE Severity
Our Official Summary
The vulnerability resides in libxml2, a widely used XML parsing and validation library, affecting versions prior to 2.12.10 and 2.13.x versions prior to 2.13.6. It stems from a use-after-free flaw within the schema validation functions xmlSchemaIDCFillNodeTables and xmlSchemaBubbleIDCNodeTables in xmlschemas.c. An attacker could potentially exploit this issue by supplying a specially crafted XML document or XML Schema (XSD) containing specific identity constraints such as xs:unique or xs:key to a system that utilizes a vulnerable version of libxml2.
This CVE has been reported in third-party components, including vSphere CSI and certain Harbor container images. However, if these components are not in use, the vulnerability does not apply. There are no known functional bugs or exploit reports affecting Harbor or vSphere CSI images related to this issue.
The likelihood of successful exploitation through arbitrary code execution is considered low, as containerized environments provide multiple layers of isolation and runtime safeguards.
Once upstream patches are released, they will be integrated into the affected images to remediate the vulnerability.
Status
Ongoing
Affected Products & Versions
| Version | Palette Enterprise | Palette Enterprise Airgap | VerteX | VerteX Airgap |
|---|---|---|---|---|
| 4.7.27 | ⚠️ Impacted | ✅ No Impact | ⚠️ Impacted | ⚠️ Impacted |
| 4.6.41 | ⚠️ Impacted | ✅ No Impact | ⚠️ Impacted | ✅ No Impact |
Revision History
| Date | Revision |
|---|---|
| 10/22/2025 | Status changed from Open to Ongoing |
| 10/22/2025 | Official summary added |
| 10/17/2025 | Advisory assigned with CRITICAL severity |