EUVD-2025-18412CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Lifecycle Timeline
5DescriptionNVD
A use-after-free vulnerability was found in libxml2. This issue occurs when parsing XPath elements under certain circumstances when the XML schematron has the <sch:name path="..."/> schema elements. This flaw allows a malicious actor to craft a malicious XML document used as input for libxml, resulting in the program's crash using libxml or other possible undefined behaviors.
AnalysisAI
Use-after-free vulnerability in libxml2 that occurs during XPath parsing when processing XML documents with schematron <sch:name path="..."/> elements. This flaw affects any application using vulnerable versions of libxml2 and allows unauthenticated remote attackers to crash the application or potentially achieve code execution through a maliciously crafted XML document. The vulnerability has a critical CVSS score of 9.1 with high integrity and availability impact.
Technical ContextAI
The vulnerability exists in libxml2's XPath parser, specifically in how it handles memory during the processing of schematron validation elements with path attributes. Schematron is an XML schema validation language that uses XPath expressions for assertion rules. CWE-825 (Expired Pointer Dereference) indicates that the parser fails to properly manage object lifecycles, continuing to reference memory that has been freed. This is a classic memory safety issue where the XML parser deallocates an object during schematron processing but subsequent XPath evaluation operations attempt to dereference the freed memory. The vulnerability is triggered during the interpretation of <sch:name path="..."/> elements specifically, suggesting a flaw in how the schematron extension module coordinates memory management with the core XPath engine.
RemediationAI
Immediate remediation steps: (1) Update libxml2 to the latest patched version released by the xmlsoft.org project (patch version details require reference to official security advisories); (2) If immediate patching is impossible, implement input validation: reject XML documents containing <sch:name path="..."/> elements if schematron validation is not required; (3) Run XML parsing in isolated processes or containers to limit blast radius of crashes; (4) Disable schematron validation if not required in your application; (5) Implement strict XML schema validation before XPath processing to reject malformed schematron documents; (6) Monitor for application crashes or unexpected terminations when processing XML inputs. For distributors: rebuild all dependent packages against the patched libxml2 version. Check xmlsoft.org's CVE advisory page and GitHub releases for exact patch version numbers.
Vendor StatusVendor
Ubuntu
Priority: Medium| Release | Status | Version |
|---|---|---|
| oracular | ignored | end of life, was needs-triage |
| upstream | released | - |
| bionic | released | 2.9.4+dfsg1-6.1ubuntu1.9+esm4 |
| focal | released | 2.9.10+dfsg-5ubuntu0.20.04.10+esm1 |
| jammy | released | 2.9.13+dfsg-1ubuntu0.8 |
| noble | released | 2.9.14+dfsg-1.3ubuntu3.4 |
| plucky | released | 2.12.7+dfsg+really2.9.14-0.4ubuntu0.2 |
| trusty | released | 2.9.1+dfsg1-3ubuntu4.13+esm8 |
| xenial | released | 2.9.3+dfsg1-1ubuntu0.7+esm9 |
Debian
Bug #1107755| Release | Status | Fixed Version | Urgency |
|---|---|---|---|
| bullseye | fixed | 2.9.10+dfsg-6.7+deb11u8 | - |
| bullseye (security) | fixed | 2.9.10+dfsg-6.7+deb11u9 | - |
| bookworm | fixed | 2.9.14+dfsg-1.3~deb12u3 | - |
| bookworm (security) | fixed | 2.9.14+dfsg-1.3~deb12u4 | - |
| trixie | fixed | 2.12.7+dfsg+really2.9.14-2.1+deb13u2 | - |
| trixie (security) | fixed | 2.12.7+dfsg+really2.9.14-2.1+deb13u1 | - |
| forky, sid | fixed | 2.15.1+dfsg-2 | - |
| (unstable) | fixed | 2.12.7+dfsg+really2.9.14-2 | - |
Share
External POC / Exploit Code
Leaving vuln.today