CVE-2016-4571 Mini Xml Project CVE debrief

Who should care

Teams that embed or ship Mini-XML and process XML from untrusted or attacker-controlled sources, especially if they still run versions identified by NVD as vulnerable.

Technical summary

NVD records this as CWE-400 (Uncontrolled Resource Consumption) with CVSS 3.1 vector AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H. The affected function is mxml_write_node in mxml-file.c, and the issue is described as stack consumption leading to denial of service when processing crafted XML. The record text describes remote attackers, while the CVSS vector models local access with user interaction required; both point to an availability-only impact.

Defensive priority

Medium

Recommended defensive actions

• Inventory products and applications that include Mini-XML and confirm whether they use affected versions.
• Upgrade to a Mini-XML release that is not listed as vulnerable in the NVD record.
• Treat XML from untrusted sources as hostile and restrict who can supply it to affected workflows.
• If immediate upgrading is not possible, isolate the XML-processing component and apply resource limits and monitoring for abnormal stack growth or service termination.
• Validate dependency and package advisories for downstream distributions, especially if you rely on packaged Mini-XML rather than upstream source.

Evidence notes

The official CVE and NVD records identify the issue as CVE-2016-4571 in Mini-XML, with NVD attributing it to mxml_write_node in mxml-file.c and classifying it under CWE-400. The NVD entry lists affected CPEs for mini-xml 2.9, mini-xml up to 2.7, and Debian Linux 8.0, and the record includes a denial-of-service description based on crafted XML causing stack consumption. The provided references include Openwall OSS security mailing list posts, Red Hat Bugzilla, and Debian LTS announcement material linked from the NVD record.

Official resources