Skip to main content

CVE-2025-49794

| EUVD-2025-18412 CRITICAL
Expired Pointer Dereference (CWE-825)
2025-06-16 secalert@redhat.com
Denial Of Service
Critical
Disputed · 9.1 NVD
Share

Severity by source

Sources disagree (Medium–Critical)
NVD PRIMARY
9.1 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Ubuntu
MEDIUM
qualitative
SUSE
CRITICAL
qualitative
Red Hat
9.1 HIGH
qualitative

vuln.today treats the vendor’s rating as authoritative. A higher third-party CVSS (e.g. CISA-ADP) is shown for transparency but does not drive the headline severity.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
High

Lifecycle Timeline

7
Analysis Updated
Apr 19, 2026 - 20:29 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 19, 2026 - 20:22 vuln.today
cvss_changed
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
PoC Detected
Mar 20, 2026 - 20:16 vuln.today
Public exploit code
EUVD ID Assigned
Mar 14, 2026 - 21:59 euvd
EUVD-2025-18412
Analysis Generated
Mar 14, 2026 - 21:59 vuln.today
CVE Published
Jun 16, 2025 - 16:15 nvd
CRITICAL 9.1

DescriptionCVE.org

A use-after-free vulnerability was found in libxml2. This issue occurs when parsing XPath elements under certain circumstances when the XML schematron has the <sch:name path="..."/> schema elements. This flaw allows a malicious actor to craft a malicious XML document used as input for libxml, resulting in the program's crash using libxml or other possible undefined behaviors.

AnalysisAI

Use-after-free in libxml2 XPath parsing allows remote attackers to crash applications via malicious XML Schematron documents. The vulnerability (CVSS 9.1) affects widespread Red Hat ecosystem products including RHEL 7-10 and OpenShift 4.12-4.20, with vendor patches available. Public exploit code exists but CISA KEV does not list active exploitation. EPSS score of 0.11% (30th percentile) suggests low observed exploitation probability despite critical CVSS rating and POC availability, indicating targeted research interest rather than mass exploitation.

Technical ContextAI

Libxml2 is a widely-deployed XML parsing library used across Linux distributions and enterprise platforms. This CWE-825 (Expired Pointer Dereference) vulnerability occurs in the XPath expression evaluation engine when processing Schematron validation rules containing specific 'sch:name path' schema elements. The use-after-free condition arises when memory allocated for XPath node objects is freed prematurely but subsequently referenced during Schematron validation, creating a dangling pointer. The CVSS vector (AV:N/AC:L) indicates network-reachable exploitation with low complexity, while the I:H/A:H ratings reflect that successful exploitation can cause both integrity violations (undefined behavior potentially leading to memory corruption) and availability impact (application crash). Red Hat advisory data shows this affects libxml2 versions 2.9.1 through 2.12.5 across multiple product lines.

RemediationAI

Apply vendor-released patches immediately for internet-facing systems processing untrusted XML. Red Hat provides fixed versions: libxml2 0:2.9.1-6.el7_9.10 (RHEL 7), 0:2.9.7-21.el8_10.1 (RHEL 8), 0:2.9.13-10.el9_6 (RHEL 9), and 0:2.12.5-7.el10_0 (RHEL 10). OpenShift users should upgrade to patched container platform releases per advisories RHSA-2025:12098 through RHSA-2025:15828. Ubuntu users apply updates via USN-7694-1, Debian via DLA-4251-1. For systems unable to patch immediately, implement compensating controls: disable Schematron validation in XML parsing configurations if not operationally required (eliminates attack surface entirely but removes schema validation capability), implement strict input validation to reject XML documents containing 'sch:name' elements at application layer (reduces functionality for legitimate Schematron use cases), or restrict XML processing to trusted sources only via network segmentation and authentication (limits exposure but does not prevent insider threats or supply chain attacks). Monitor application logs for abnormal XML parsing crashes as potential exploitation indicators. Note that disabling Schematron affects schema-based validation workflows and may break dependent business processes.

Vendor StatusVendor

Ubuntu

Priority: Medium
libxml2
Release Status Version
oracular ignored end of life, was needs-triage
upstream released -
bionic released 2.9.4+dfsg1-6.1ubuntu1.9+esm4
focal released 2.9.10+dfsg-5ubuntu0.20.04.10+esm1
jammy released 2.9.13+dfsg-1ubuntu0.8
noble released 2.9.14+dfsg-1.3ubuntu3.4
plucky released 2.12.7+dfsg+really2.9.14-0.4ubuntu0.2
trusty released 2.9.1+dfsg1-3ubuntu4.13+esm8
xenial released 2.9.3+dfsg1-1ubuntu0.7+esm9
USN-7694-1

Debian

Bug #1107755
libxml2
Release Status Fixed Version Urgency
bullseye fixed 2.9.10+dfsg-6.7+deb11u8 -
bullseye (security) fixed 2.9.10+dfsg-6.7+deb11u9 -
bookworm fixed 2.9.14+dfsg-1.3~deb12u3 -
bookworm (security) fixed 2.9.14+dfsg-1.3~deb12u4 -
trixie fixed 2.12.7+dfsg+really2.9.14-2.1+deb13u2 -
trixie (security) fixed 2.12.7+dfsg+really2.9.14-2.1+deb13u1 -
forky, sid fixed 2.15.1+dfsg-2 -
(unstable) fixed 2.12.7+dfsg+really2.9.14-2 -
DLA-4251-1

SUSE

Severity: Critical
Product Status
Container bci/kiwi:9.24.43-16.25 Image SLES15-SP7-SAPCAL-Azure Image SLES15-SP7-SAPCAL-EC2 Image SLES15-SP7-SAPCAL-GCE Affected
Container bci/spack:0.23.1-11.20 Container containers/lmcache-vllm-openai:0.3.2-1.2 Container containers/open-webui:0.6.9-10.36 Container containers/pytorch:2.7.0-nvidia-2.33 Container containers/vllm-openai:0.9.1-1.2 Container private-registry/harbor-db:2.12.2-2.16 Container private-registry/harbor-nginx:1.21.5-2.15 Container suse/manager/5.0/x86_64/proxy-salt-broker:5.0.5.1.7.28.2 Container suse/manager/5.0/x86_64/proxy-squid:5.0.5.1.7.26.1 Container suse/manager/5.0/x86_64/server-migration-14-16:5.0.5.1.7.26.2 Container suse/mariadb:10.11.11-68.18 Container suse/sle-micro/5.5/toolbox:14.2-3.12.59 Container suse/sle-micro/5.5:2.0.4-5.5.329 Container suse/sle-micro/base-5.5:2.0.4-5.8.185 Container suse/sle-micro/kvm-5.5:2.0.4-3.5.354 Container suse/sle-micro/rt-5.5:2.0.4-4.5.430 Image SLES15-SP5-Azure-3P Image SLES15-SP5-Azure-Basic Image SLES15-SP5-Azure-Standard Image SLES15-SP5-BYOS-Azure Image SLES15-SP5-BYOS-EC2 Image SLES15-SP5-BYOS-GCE Image SLES15-SP5-CHOST-BYOS-Aliyun Image SLES15-SP5-CHOST-BYOS-Azure Image SLES15-SP5-CHOST-BYOS-EC2 Image SLES15-SP5-CHOST-BYOS-GCE Image SLES15-SP5-CHOST-BYOS-GDC Image SLES15-SP5-CHOST-BYOS-SAP-CCloud Image SLES15-SP5-EC2 Image SLES15-SP5-GCE Image SLES15-SP5-HPC-Azure Image SLES15-SP5-HPC-BYOS-Azure Image SLES15-SP5-HPC-BYOS-EC2 Image SLES15-SP5-HPC-BYOS-GCE Image SLES15-SP5-Hardened-BYOS-Azure Image SLES15-SP5-Hardened-BYOS-EC2 Image SLES15-SP5-Hardened-BYOS-GCE Image SLES15-SP6 Image SLES15-SP6-Azure-3P Image SLES15-SP6-Azure-Basic Image SLES15-SP6-Azure-Standard Image SLES15-SP6-BYOS Image SLES15-SP6-BYOS-Azure Image SLES15-SP6-BYOS-EC2 Image SLES15-SP6-BYOS-GCE Image SLES15-SP6-CHOST-BYOS Image SLES15-SP6-CHOST-BYOS-Aliyun Image SLES15-SP6-CHOST-BYOS-Azure Image SLES15-SP6-CHOST-BYOS-EC2 Image SLES15-SP6-CHOST-BYOS-GCE Image SLES15-SP6-CHOST-BYOS-GDC Image SLES15-SP6-CHOST-BYOS-SAP-CCloud Image SLES15-SP6-EC2 Image SLES15-SP6-EC2-ECS-HVM Image SLES15-SP6-GCE Image SLES15-SP6-HPC Image SLES15-SP6-HPC-Azure Image SLES15-SP6-HPC-BYOS Image SLES15-SP6-HPC-BYOS-Azure Image SLES15-SP6-HPC-BYOS-EC2 Image SLES15-SP6-HPC-BYOS-GCE Image SLES15-SP6-HPC-EC2 Image SLES15-SP6-HPC-GCE Image SLES15-SP6-Hardened-BYOS Image SLES15-SP6-Hardened-BYOS-Azure Image SLES15-SP6-Hardened-BYOS-EC2 Image SLES15-SP6-Hardened-BYOS-GCE Image ai_15_6 Affected
Container private-registry/harbor-portal:1.1.0-1.1 Container suse/hpc/warewulf4-x86_64/sle-hpc-node:15.7.20.5.1 Container suse/multi-linux-manager/5.1/x86_64/proxy-httpd:5.1.0.6.27 Container suse/multi-linux-manager/5.1/x86_64/proxy-salt-broker:5.1.0.7.32 Container suse/multi-linux-manager/5.1/x86_64/proxy-squid:5.1.0.6.21 Container suse/multi-linux-manager/5.1/x86_64/server-migration-14-16:5.1.0.6.27 Container suse/multi-linux-manager/5.1/x86_64/server-postgresql:5.1.2.6.13.1 Container suse/multi-linux-manager/5.1/x86_64/server-saline:5.1.2.9.13.1 Image SLES15-SP7-Azure-3P Image SLES15-SP7-Azure-Basic Image SLES15-SP7-Azure-Standard Image SLES15-SP7-BYOS-Azure Image SLES15-SP7-BYOS-EC2 Image SLES15-SP7-BYOS-GCE Image SLES15-SP7-CHOST-BYOS-Aliyun Image SLES15-SP7-CHOST-BYOS-Azure Image SLES15-SP7-CHOST-BYOS-EC2 Image SLES15-SP7-CHOST-BYOS-GCE Image SLES15-SP7-CHOST-BYOS-GDC Image SLES15-SP7-CHOST-BYOS-SAP-CCloud Image SLES15-SP7-EC2 Image SLES15-SP7-EC2-ECS-HVM Image SLES15-SP7-GCE Image SLES15-SP7-GCE-3P Image SLES15-SP7-HPC-Azure Image SLES15-SP7-HPC-BYOS-Azure Image SLES15-SP7-HPC-BYOS-EC2 Image SLES15-SP7-HPC-BYOS-GCE Image SLES15-SP7-Hardened-BYOS-Azure Image SLES15-SP7-Hardened-BYOS-EC2 Image SLES15-SP7-Hardened-BYOS-GCE Image proxy-httpd-image Image proxy-salt-broker-image Image proxy-squid-image Image server-database-migration-image Image server-image Image server-migration-14-16-image Image server-postgresql-image Image server-saline-image Affected
Container suse/ltss/sle12.5/sles12sp5:8.5.107 Image SLES12-SP5-Azure-BYOS Image SLES12-SP5-Azure-HPC-BYOS Image SLES12-SP5-Azure-HPC-On-Demand Image SLES12-SP5-Azure-Standard-On-Demand Image SLES12-SP5-EC2-BYOS Image SLES12-SP5-EC2-ECS-On-Demand Image SLES12-SP5-EC2-On-Demand Image SLES12-SP5-GCE-BYOS Image SLES12-SP5-GCE-On-Demand Affected
Container suse/manager/4.3/proxy-httpd:4.3.15.9.63.43 Image SLES15-SP4-Manager-Proxy-4-3-BYOS Image SLES15-SP4-Manager-Proxy-4-3-BYOS-Azure Image SLES15-SP4-Manager-Proxy-4-3-BYOS-EC2 Image SLES15-SP4-Manager-Proxy-4-3-BYOS-GCE Affected

Share

CVE-2025-49794 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy