CVE-2016-1838
CWE-125Published: May 20, 2016· Updated: Jun 17, 2026
Official Description
The xmlPArserPrintFileContextInternal function in libxml2 before 2.9.4, as used in Apple iOS before 9.3.2, OS X before 10.11.5, tvOS before 9.2.1, and watchOS before 2.2.1, allows remote attackers to cause a denial of service (heap-based buffer over-read) via a crafted XML document.
Technical Analysis
CVE-2016-1838 requires local access, meaning attackers must already have a foothold on the target system.
Exploitation does not require any privileges, though user interaction (Required) is needed, which slightly reduces the risk of mass automated attacks.
A successful exploit results in availability disruption (denial of service), with a CVSS base score of 5.5.
A proof-of-concept (PoC) exploit exists for CVE-2016-1838. While not yet confirmed in active campaigns, the availability of PoC code increases exploitation risk substantially.
CVSS v3.1 Vector Breakdown
Affected Vendors & Products
Exploit & PoC Resources
Official Patches & Advisories
All References (48)
Quick Facts
Related CVEs (CWE-125)
Recommended Actions
- →Apply vendor patches immediately
- →Monitor CVE-2016-1838 in threat intel feeds
- →Review IDS/IPS signatures for exploitation attempts