CVE-2019-13118 in Java SEinfo

Summary

by MITRE

In numbers.c in libxslt 1.1.33, a type holding grouping characters of an xsl:number instruction was too narrow and an invalid character/length combination could be passed to xsltNumberFormatDecimal, leading to a read of uninitialized stack data.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 05/29/2026

The vulnerability identified as CVE-2019-13118 resides within the libxslt library version 1.1.33, specifically in the numbers.c file that handles xsl:number instruction processing. This flaw represents a classic buffer overflow condition that occurs during the handling of grouping characters in XSLT number formatting operations. The issue manifests when the library processes invalid character and length combinations that are passed to the xsltNumberFormatDecimal function, creating a scenario where uninitialized stack memory is read and potentially exposed to unauthorized access.

The technical root cause of this vulnerability stems from insufficient input validation and improper type handling within the grouping character processing logic. When an xsl:number instruction contains malformed grouping character specifications, the system fails to properly validate the character set and length parameters before passing them to the number formatting function. This inadequate validation allows for a situation where a narrow data type is used to store grouping character information that exceeds its capacity, resulting in stack corruption. The vulnerability specifically targets the memory layout of the xsltNumberFormatDecimal function where uninitialized stack data becomes accessible through the flawed type handling mechanism.

From an operational perspective, this vulnerability presents a significant security risk to systems that process untrusted XSLT transformations, particularly in web applications, content management systems, and document processing frameworks that rely on libxslt for XML formatting operations. An attacker could potentially exploit this weakness by crafting malicious XSLT templates containing malformed number instructions that trigger the read of uninitialized stack data. This read operation could expose sensitive information from adjacent memory locations, including cryptographic keys, session tokens, or other confidential data that may be stored in the program's memory space. The vulnerability's impact is amplified in environments where the XSLT processing occurs in a privileged context or where the processing involves sensitive user data.

The vulnerability aligns with CWE-129, which addresses improper validation of length of input buffers, and CWE-125, which covers reading of uninitialized memory. From an ATT&CK framework perspective, this vulnerability maps to T1059.001 for execution through command-line interfaces and potentially T1566 for initial access through malicious document processing. The attack surface extends to any application that utilizes libxslt for processing XSLT transformations, including but not limited to web applications, server-side rendering systems, and document automation platforms. Organizations should consider implementing strict input validation for all XSLT processing operations and ensure that their libxslt libraries are updated to versions that contain the appropriate fixes for this vulnerability. Additionally, security monitoring should be enhanced to detect unusual patterns in XSLT processing that might indicate exploitation attempts, and access controls should be implemented to limit the impact of potential exploitation within the system's attack surface.

Reservation

06/30/2019

Moderation

accepted

Entry

8

Relate

show

CPE

ready

EPSS

0.05147

KEV

no

Activities

very low

Sources

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!