In numbers.c in libxslt 1.1.33, a type holding grouping characters of an xsl:number instruction was too narrow and an invalid character/length combination could be passed to xsltNumberFormatDecimal, leading to a read of uninitialized stack data.
{
"unresolved_ranges": [
{
"cpes": [
"cpe:2.3:a:apple:icloud:*:*:*:*:*:windows:*:*"
],
"vendor_product": "apple:icloud",
"extracted_events": [
{
"fixed": "7.13"
},
{
"introduced": "10.0"
},
{
"fixed": "10.6"
}
],
"source": "CPE_RANGE"
},
{
"cpes": [
"cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*"
],
"vendor_product": "apple:iphone_os",
"extracted_events": [
{
"fixed": "12.4"
}
],
"source": "CPE_RANGE"
},
{
"cpes": [
"cpe:2.3:a:apple:itunes:*:*:*:*:*:windows:*:*"
],
"vendor_product": "apple:itunes",
"extracted_events": [
{
"fixed": "12.9.6"
}
],
"source": "CPE_RANGE"
},
{
"cpes": [
"cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*"
],
"vendor_product": "apple:macos",
"extracted_events": [
{
"introduced": "10.4.6"
},
{
"fixed": "10.14.6"
}
],
"source": "CPE_RANGE"
},
{
"cpes": [
"cpe:2.3:o:apple:tvos:*:*:*:*:*:*:*:*"
],
"vendor_product": "apple:tvos",
"extracted_events": [
{
"fixed": "12.4"
}
],
"source": "CPE_RANGE"
},
{
"cpes": [
"cpe:2.3:a:netapp:e-series_santricity_os_controller:*:*:*:*:*:*:*:*"
],
"vendor_product": "netapp:e-series_santricity_os_controller",
"extracted_events": [
{
"introduced": "11.0"
},
{
"last_affected": "11.50.2"
}
],
"source": "CPE_RANGE"
},
{
"cpes": [
"cpe:2.3:o:apple:mac_os_x:10.12.6:security_update_2019-001:*:*:*:*:*:*",
"cpe:2.3:o:apple:mac_os_x:10.12.6:security_update_2019-002:*:*:*:*:*:*",
"cpe:2.3:o:apple:mac_os_x:10.12.6:security_update_2019-003:*:*:*:*:*:*",
"cpe:2.3:o:apple:mac_os_x:10.13.6:security_update_2019-001:*:*:*:*:*:*",
"cpe:2.3:o:apple:mac_os_x:10.13.6:security_update_2019-002:*:*:*:*:*:*",
"cpe:2.3:o:apple:mac_os_x:10.13.6:security_update_2019-003:*:*:*:*:*:*"
],
"vendor_product": "apple:mac_os_x",
"extracted_events": [
{
"introduced": "10.12.6-security_update_2019\\-001"
},
{
"last_affected": "10.12.6-security_update_2019\\-001"
},
{
"introduced": "10.12.6-security_update_2019\\-002"
},
{
"last_affected": "10.12.6-security_update_2019\\-002"
},
{
"introduced": "10.12.6-security_update_2019\\-003"
},
{
"last_affected": "10.12.6-security_update_2019\\-003"
},
{
"introduced": "10.13.6-security_update_2019\\-001"
},
{
"last_affected": "10.13.6-security_update_2019\\-001"
},
{
"introduced": "10.13.6-security_update_2019\\-002"
},
{
"last_affected": "10.13.6-security_update_2019\\-002"
},
{
"introduced": "10.13.6-security_update_2019\\-003"
},
{
"last_affected": "10.13.6-security_update_2019\\-003"
}
],
"source": "CPE_STRING"
},
{
"cpes": [
"cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:-:*:*:*",
"cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:esm:*:*:*",
"cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:esm:*:*:*",
"cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*",
"cpe:2.3:o:canonical:ubuntu_linux:19.04:*:*:*:*:*:*:*",
"cpe:2.3:o:canonical:ubuntu_linux:19.10:*:*:*:*:*:*:*"
],
"vendor_product": "canonical:ubuntu_linux",
"extracted_events": [
{
"introduced": "12.04"
},
{
"last_affected": "12.04"
},
{
"introduced": "14.04"
},
{
"last_affected": "14.04"
},
{
"introduced": "16.04"
},
{
"last_affected": "16.04"
},
{
"introduced": "18.04"
},
{
"last_affected": "18.04"
},
{
"introduced": "19.04"
},
{
"last_affected": "19.04"
},
{
"introduced": "19.10"
},
{
"last_affected": "19.10"
}
],
"source": "CPE_STRING"
},
{
"cpes": [
"cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*"
],
"vendor_product": "fedoraproject:fedora",
"extracted_events": [
{
"introduced": "31"
},
{
"last_affected": "31"
}
],
"source": "CPE_STRING"
},
{
"cpes": [
"cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*"
],
"vendor_product": "opensuse:leap",
"extracted_events": [
{
"introduced": "15.1"
},
{
"last_affected": "15.1"
}
],
"source": "CPE_STRING"
},
{
"cpes": [
"cpe:2.3:a:oracle:jdk:1.8.0:update231:*:*:*:*:*:*"
],
"vendor_product": "oracle:jdk",
"extracted_events": [
{
"introduced": "1.8.0-update231"
},
{
"last_affected": "1.8.0-update231"
}
],
"source": "CPE_STRING"
}
]
}[
{
"digest": {
"function_hash": "36987421056926122074875227490358574962",
"length": 7644.0
},
"target": {
"function": "xsltFormatNumberConversion",
"file": "libxslt/numbers.c"
},
"id": "CVE-2019-13118-63665d4a",
"signature_version": "v1",
"signature_type": "Function",
"source": "https://gitlab.gnome.org/gnome/libxslt@6ce8de69330783977dd14f6569419489875fb71b",
"deprecated": false
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"63548434003007382491243147779269090701",
"116955402715987170288711090571509490340",
"132181306849488116102938414544554454906",
"93187498953954641064648803514721959766",
"132823863448370179372582377013990202357",
"265666783747685004834146135985363637479",
"171703248105306918475769584619162783632",
"288508257822198863614058207703000070769",
"302340413245318396511100747024947294852",
"165038232749100568916570064743469772324"
]
},
"target": {
"file": "libxslt/numbers.c"
},
"id": "CVE-2019-13118-cb30633e",
"signature_version": "v1",
"signature_type": "Line",
"source": "https://gitlab.gnome.org/gnome/libxslt@6ce8de69330783977dd14f6569419489875fb71b",
"deprecated": false
}
]
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-13118.json"
"2026-07-08T16:07:44Z"