PatchSiren cyber security CVE debrief

CVE-2016-4570 Mini Xml Project CVE debrief

CVE-2016-4570 describes a denial-of-service issue in Mini-XML (mxml) where the mxmlDelete function in mxml-node.c can consume stack space when processing crafted XML. The public record ties the issue to mxml 2.7 and 2.9, with possibly earlier versions also affected. Organizations that parse untrusted XML with affected builds should treat this as a stability risk and verify whether their packaging or downstream distro version includes the vulnerable code path.

Vendor: Mini Xml Project
Product: CVE-2016-4570
CVSS: MEDIUM 5.5
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-02-03
Original CVE updated: 2026-05-13
Advisory published: 2017-02-03
Advisory updated: 2026-05-13

Who should care

Administrators, developers, and product teams using Mini-XML (mxml) 2.7 or 2.9, or downstream packages that embed it, especially where applications process untrusted XML input. Debian 8.0 was also listed as vulnerable in the NVD CPE data.

Technical summary

NVD describes the flaw as a stack consumption denial of service in mxmlDelete within mxml-node.c, triggered by crafted XML input. The record maps the weakness to CWE-400 (Uncontrolled Resource Consumption) and gives a CVSS v3.1 vector of AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H. Note that the narrative description says remote attackers, while the CVSS vector indicates local attack conditions with user interaction; operators should assess the actual exposure of their deployment rather than relying on the description alone.

Defensive priority

Medium

Recommended defensive actions

Inventory systems and applications that ship or link against Mini-XML (mxml), especially versions 2.7 and 2.9.
Update to a vendor or downstream package release that removes the vulnerable code path if one is available in your distribution.
Restrict or validate untrusted XML input before it reaches the parser, and avoid processing attacker-controlled XML in high-availability services.
Add monitoring for parser crashes or abnormal stack-related failures in components that handle XML.
Check downstream advisories and package trackers, including distro-specific notices, to confirm whether your packaged version is still affected.

Evidence notes

This debrief is based on the supplied NVD CVE record and linked references only. The NVD CPE criteria explicitly mark mini-xml_project mini-xml versions through 2.7 and mini-xml 2.9 as vulnerable, and also list Debian Linux 8.0. The supplied references include 2016 Openwall mailing-list discussions, a SecurityFocus BID entry, a Red Hat Bugzilla issue, and a Debian LTS announcement. The CVE was publicly published on 2017-02-03 in the supplied timeline; related discussion links date to May 2016.

Official resources

CVE-2016-4570 CVE record
CVE.org
CVE-2016-4570 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Mailing List, Third Party Advisory
Mitigation or vendor reference
[email protected] - Mailing List, Third Party Advisory
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry
Mitigation or vendor reference
[email protected] - Issue Tracking, Third Party Advisory
Mitigation or vendor reference
[email protected] - Third Party Advisory

Public vulnerability information was published on 2017-02-03 in the supplied CVE/NVD record. Supporting discussion and advisories in the reference list begin in May 2016, and no CISA KEV listing is present in the supplied data.