How to fix EUVD-2025-20998?

Within 24 hours: Inventory all systems and applications using libxslt and assess whether they process untrusted XSLT documents. Within 7 days: Implement compensating controls (disable XSLT key() processing if business-critical, or restrict XSLT processing to trusted sources only). Within 30 days: Monitor vendor security advisories and libxslt repositories for patch availability; prepare for immediate patching upon release.

Is Memory Corruption affected by EUVD-2025-20998?

CVE-2025-7425 is a HIGH severity vulnerability in libxslt that can cause application crashes or enable heap memory corruption when processing XSLT documents containing certain key() functions.

EUVD-2025-20998

| CVE-2025-7425 HIGH

2025-07-10 [email protected]

Denial Of Service Memory Corruption Use After Free

7.8

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:H

Attack Vector

Local

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

None

Integrity

High

Availability

High

Lifecycle Timeline

Patch Released

Mar 31, 2026 - 21:13 nvd

Patch available

Analysis Generated

Mar 16, 2026 - 06:52 vuln.today

EUVD ID Assigned

Mar 16, 2026 - 06:52 euvd

EUVD-2025-20998

PoC Detected

Jan 22, 2026 - 05:16 vuln.today

Public exploit code

CVE Published

Jul 10, 2025 - 14:15 nvd

HIGH 7.8

DescriptionNVD

A flaw was found in libxslt where the attribute type, atype, flags are modified in a way that corrupts internal memory management. When XSLT functions, such as the key() process, result in tree fragments, this corruption prevents the proper cleanup of ID attributes. As a result, the system may access freed memory, causing crashes or enabling attackers to trigger heap corruption.

AnalysisAI

CVE-2025-7425 is a use-after-free (UAF) vulnerability in libxslt where improper memory management during XSLT tree fragment processing leads to heap corruption and potential code execution. The vulnerability affects libxslt library versions processing XSLT functions like key() that generate tree fragments, allowing local attackers with no privileges to trigger crashes or heap corruption through crafted XSLT stylesheets. While CVSS 7.8 indicates high severity, real-world impact depends on KEV inclusion status and whether public exploits exist; this vulnerability presents significant risk to applications embedding libxslt and processing untrusted XSLT input.

Technical ContextAI

libxslt is a widely-used XSLT 1.0 processor library (CPE: cpe:2.3:a:xmlsoft:libxslt:*:*:*:*:*:*:*:*) that transforms XML documents using stylesheets. The vulnerability roots in CWE-416 (Use After Free), where the internal attribute type field (atype) and associated flags become corrupted during XSLT key() function processing when tree fragments are generated. This corruption prevents proper cleanup and dereferencing of ID attributes, leaving dangling pointers. When the memory management cleanup routines subsequently attempt to access these freed ID attribute structures, the system dereferences invalid memory addresses. This is particularly dangerous because XSLT tree fragments are temporary data structures created during dynamic XSLT function evaluation, and improper state management during their lifecycle directly leads to use-after-free conditions.

RemediationAI

IMMEDIATE: Update libxslt to the patched version (typically 1.1.39 or later, pending official release confirmation). 2. Distribution-specific patches: Monitor Red Hat Security Advisory (RHSA), Debian Security Advisory (DSA), Ubuntu Security Notice (USN), and other vendor-specific channels for backported patches to maintained versions. 3. WORKAROUND (temporary): Restrict XSLT stylesheet sources to trusted, pre-validated input only; disable XSLT processing if not required; use XSLT sandboxing via operating system controls (containers, seccomp, AppArmor) to limit impact of potential heap corruption. 4. VALIDATION: Recompile dependent applications against patched libxslt version; regression test XSLT transformations, especially those using key() function and tree fragment generation. 5. MONITORING: Deploy runtime heap corruption detection (AddressSanitizer, Valgrind in non-production diagnostics) to catch exploitation attempts; monitor for segmentation faults or unexpected process terminations in XSLT processing workflows.

Vendor StatusVendor

Ubuntu

Priority: Medium

libxslt

Release	Status	Version
oracular	ignored	end of life, was needs-triage
bionic	not-affected	code not present
focal	not-affected	code not present
jammy	not-affected	code not present
xenial	not-affected	code not present
noble	deferred	2026-03-03
questing	deferred	2026-03-03
upstream	deferred	2026-03-03
plucky	ignored	end of life, was deferred [2026-03-03]
trusty	not-affected	code not present

libxml2

Release	Status	Version
questing	not-affected	2.14.5+dfsg-0.2
jammy	released	2.9.13+dfsg-1ubuntu0.10
bionic	released	2.9.4+dfsg1-6.1ubuntu1.9+esm6
focal	released	2.9.10+dfsg-5ubuntu0.20.04.10+esm3
trusty	released	2.9.1+dfsg1-3ubuntu4.13+esm10
upstream	released	2.14.5+dfsg-0.1
noble	released	2.9.14+dfsg-1.3ubuntu3.6
plucky	released	2.12.7+dfsg+really2.9.14-0.4ubuntu0.4
xenial	released	2.9.3+dfsg1-1ubuntu0.7+esm11

USN-7852-1 USN-7852-2 USN-7896-1

Debian

Bug #1109122

libxslt

Release	Status	Fixed Version	Urgency
bullseye	not-affected	-	-
bullseye (security)	fixed	1.1.34-4+deb11u3	-
bookworm, bookworm (security)	fixed	1.1.35-1+deb12u3	-
trixie (security), trixie	fixed	1.1.35-1.2+deb13u2	-
forky, sid	vulnerable	1.1.43-0.3	-
bookworm	not-affected	-	-
trixie	not-affected	-	-
(unstable)	fixed	(unfixed)	-

EUVD-2025-20998 vulnerability details – vuln.today

Back

EUVD-2025-20998

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

RemediationAI

Vendor StatusVendor

Ubuntu

Debian

Share

External POC / Exploit Code