libxml2 20904-GITv2.9.4-16-g0741801 is vulnerable to a heap-based buffer over-read in the xmlDictComputeFastKey function in dict.c. This vulnerability causes programs that use libxml2, such as PHP, to crash. This vulnerability exists because of an incomplete fix for libxml2 Bug 759398.
Conclusion & alert: CVE-2017-9049 is rated High Exploit Risk (80.8/100): CVSS High severity, with high exploitation likelihood (EPSS 4.63%, 90th percentile). Core evidence: 1 public exploit reference(s) are indexed (Exploit-DB). EPSS rose +4.16% over the last day, indicating growing attacker interest. Mandatory action: Public exploits are available—assess exposure, apply mitigations, and prioritize patching.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
| EDB-ID | Source | Kind | Published | Link |
|---|---|---|---|---|
| — | nvd_ref | exploit_tag | Exploit-DB ↗ |
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-06-15 | 0.47% | 4.63% | +4.16% |
| 2 | 2025-12-24 | 0.39% | 0.47% | +0.08% |
| 3 | 2025-12-19 | — | 0.39% | — |
Full EPSS history (24 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 7.5 | 3.1 | HIGH |
|
3.9 | 3.6 | 134c704f-9b21-4f2e-91b3-4a467353bcc0 |
| 7.5 | 3.0 | HIGH |
|
3.9 | 3.6 | [email protected] |
| 5.0 | 2.0 | MEDIUM |
|
10.0 | 2.9 | [email protected] |
| vendor | priority | summary | link |
|---|---|---|---|
alpine
|
— | CVE-2017-9049: 1 source package rows (libxml2); 15 state rows across 5 repos (3.19-main, 3.20-main, 3.21-main, 3.22-main, edge-main); fixed 0, open 15. | https://security.alpinelinux.org/vuln/CVE-2017-9049 |
debian
|
not yet assigned | CVE-2017-9049 not yet assigned priority: Debian including 1 source packages (libxml2), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 5. | https://security-tracker.debian.org/tracker/CVE-2017-9049 |
gentoo
|
normal | CVE-2017-9049: 1 GLSA(s) (201711-01), 1 atom(s) (dev-libs/libxml2); latest impact normal. | https://bugs.gentoo.org/buglist.cgi?quicksearch=CVE-2017-9049 |
redhat
|
medium | — | https://access.redhat.com/security/cve/CVE-2017-9049 |
suse
|
high | CVE-2017-9049 severity important: SUSE including 364 source package names (0.9.1:libxml2-2-2.9.4-39.2, 1.0.0:libxml2-2-2.9.4-39.2, …), 513 product×package rows across 102 product lines (Container caasp/v4/default-http-backend, Container caasp/v4/dnsmasq-nanny, … (102 product lines)): Fixed 310, Known Affected 157, Known Not Affected 46. | https://www.suse.com/security/cve/CVE-2017-9049/ |
ubuntu
|
medium | CVE-2017-9049 medium priority: Ubuntu including 1 source packages (libxml2), 5 status rows across 5 suites (trusty, upstream, xenial, yakkety, zesty): released 4, ignored 1. | https://ubuntu.com/security/CVE-2017-9049 |