CVE-2025-32414
published 2025-04-08CVE-2025-32414: In libxml2 before 2.13.8 and 2.14.x before 2.14.2, out-of-bounds memory access can occur in the Python API (Python bindings) because of an incorrect return…
PriorityP337high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
0.33%
24.8th percentile
In libxml2 before 2.13.8 and 2.14.x before 2.14.2, out-of-bounds memory access can occur in the Python API (Python bindings) because of an incorrect return value. This occurs in xmlPythonFileRead and xmlPythonFileReadRaw because of a difference between bytes and characters.
Affected
16 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | libxml2 | < libxml2 2.9.14+dfsg-1.3~deb12u2 (bookworm) | libxml2 2.9.14+dfsg-1.3~deb12u2 (bookworm) |
| msrc | azl3_libxml2_2.11.5-5_on_azure_linux_3.0 | — | — |
| msrc | cbl2_libxml2_2.10.4-7_on_cbl_mariner_2.0 | — | — |
| nokogiri | nokogiri | >= 0 < 1.18.8 | 1.18.8 |
| xmlsoft | libxml2 | < 2.13.8 | 2.13.8 |
| xmlsoft | libxml2 | >= 0 < 2.9.10+dfsg-6.7+deb11u7 | 2.9.10+dfsg-6.7+deb11u7 |
| xmlsoft | libxml2 | >= 0 < 2.9.14+dfsg-1.3~deb12u2 | 2.9.14+dfsg-1.3~deb12u2 |
| xmlsoft | libxml2 | >= 0 < 2.12.7+dfsg+really2.9.14-1 | 2.12.7+dfsg+really2.9.14-1 |
| xmlsoft | libxml2 | >= 0 < 2.12.7+dfsg+really2.9.14-1 | 2.12.7+dfsg+really2.9.14-1 |
| xmlsoft | libxml2 | >= 0 < 2.9.10+dfsg-5ubuntu0.20.04.10 | 2.9.10+dfsg-5ubuntu0.20.04.10 |
| xmlsoft | libxml2 | >= 0 < 2.9.13+dfsg-1ubuntu0.7 | 2.9.13+dfsg-1ubuntu0.7 |
| xmlsoft | libxml2 | >= 0 < 2.9.14+dfsg-1.3ubuntu3.3 | 2.9.14+dfsg-1.3ubuntu3.3 |
| xmlsoft | libxml2 | >= 0 < 2.9.1+dfsg1-3ubuntu4.13+esm10 | 2.9.1+dfsg1-3ubuntu4.13+esm10 |
| xmlsoft | libxml2 | >= 0 < 2.9.3+dfsg1-1ubuntu0.7+esm8 | 2.9.3+dfsg1-1ubuntu0.7+esm8 |
| xmlsoft | libxml2 | >= 0 < 2.9.4+dfsg1-6.1ubuntu1.9+esm3 | 2.9.4+dfsg1-6.1ubuntu1.9+esm3 |
| xmlsoft | libxml2 | >= 2.14.0 < 2.14.2 | 2.14.2 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
ghsa7.5HIGH
osv7.5HIGH
vendor_debian5.6MEDIUM
vendor_msrc5.6MEDIUM
vendor_redhat5.6MEDIUM
vendor_ubuntu5.6MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
libxml2 vulnerabilities
osv·2025-11-27·CVSS 7.5
CVE-2025-32414 [HIGH] libxml2 vulnerabilities
libxml2 vulnerabilities
It was discovered that the libxml2 Python bindings incorrectly handled
certain return values. An attacker could possibly use this issue to cause
libxml2 to crash, resulting in a denial of service. (CVE-2025-32414)
It was discovered that libxml2 incorrectly handled certain memory
operations. A remote attacker could possibly use this issue to cause
libxml2 to crash, resulting in a denial of service. (CVE-2025-32415)
It was discovered that libxslt, used by libxml2, incorrectly handled
certain attributes. An attacker could use this issue to cause a crash,
resulting in a denial of service, or possibly execute arbitrary code. This
update adds a fix to libxml2 to mitigate the libxslt vulnerability.
(CVE-2025-7425)
OSV
libxml2 vulnerabilities
osv·2025-04-28·CVSS 7.5
CVE-2025-32414 [HIGH] libxml2 vulnerabilities
libxml2 vulnerabilities
USN-7467-1 fixed several vulnerabilities in libxml2. This update provides
the corresponding update for Ubuntu 16.04 LTS and Ubuntu 18.04 LTS.
Original advisory details:
It was discovered that the libxml2 Python bindings incorrectly handled
certain return values. An attacker could possibly use this issue to cause
libxml2 to crash, resulting in a denial of service. (CVE-2025-32414)
It was discovered that libxml2 incorrectly handled certain memory
operations. A remote attacker could possibly use this issue to cause
libxml2 to crash, resulting in a denial of service. (CVE-2025-32415)
OSV
libxml2 vulnerabilities
osv·2025-04-28·CVSS 7.5
CVE-2025-32414 [HIGH] libxml2 vulnerabilities
libxml2 vulnerabilities
It was discovered that the libxml2 Python bindings incorrectly handled
certain return values. An attacker could possibly use this issue to cause
libxml2 to crash, resulting in a denial of service. (CVE-2025-32414)
It was discovered that libxml2 incorrectly handled certain memory
operations. A remote attacker could possibly use this issue to cause
libxml2 to crash, resulting in a denial of service. (CVE-2025-32415)
GHSA
Nokogiri updates packaged libxml2 to v2.13.8 to resolve CVE-2025-32414 and CVE-2025-32415
ghsa·2025-04-21·CVSS 7.5
CVE-2025-32414 [HIGH] CWE-1395 Nokogiri updates packaged libxml2 to v2.13.8 to resolve CVE-2025-32414 and CVE-2025-32415
Nokogiri updates packaged libxml2 to v2.13.8 to resolve CVE-2025-32414 and CVE-2025-32415
## Summary
Nokogiri v1.18.8 upgrades its dependency libxml2 to [v2.13.8](https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.13.8).
libxml2 v2.13.8 addresses:
- CVE-2025-32414
- described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/889
- CVE-2025-32415
- described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/890
## Impact
### CVE-2025-32414: No impact
In libxml2 before 2.13.8 and 2.14.x before 2.14.2, out-of-bounds memory access can occur in the Python API (Python bindings) because of an incorrect return value. This occurs in xmlPythonFileRead and xmlPythonFileReadRaw because of a difference between bytes and characters.
**There is no impact** from this CVE for Nokogiri users.
OSV
Nokogiri updates packaged libxml2 to v2.13.8 to resolve CVE-2025-32414 and CVE-2025-32415
osv·2025-04-21·CVSS 7.5
CVE-2025-32414 [HIGH] Nokogiri updates packaged libxml2 to v2.13.8 to resolve CVE-2025-32414 and CVE-2025-32415
Nokogiri updates packaged libxml2 to v2.13.8 to resolve CVE-2025-32414 and CVE-2025-32415
## Summary
Nokogiri v1.18.8 upgrades its dependency libxml2 to [v2.13.8](https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.13.8).
libxml2 v2.13.8 addresses:
- CVE-2025-32414
- described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/889
- CVE-2025-32415
- described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/890
## Impact
### CVE-2025-32414: No impact
In libxml2 before 2.13.8 and 2.14.x before 2.14.2, out-of-bounds memory access can occur in the Python API (Python bindings) because of an incorrect return value. This occurs in xmlPythonFileRead and xmlPythonFileReadRaw because of a difference between bytes and characters.
**There is no impact** from this CVE for Nokogiri users.
GHSA
GHSA-mfrm-w63c-3x58: In libxml2 before 2
ghsa_unreviewed·2025-04-08
CVE-2025-32414 [MEDIUM] CWE-252 GHSA-mfrm-w63c-3x58: In libxml2 before 2
In libxml2 before 2.13.8 and 2.14.x before 2.14.2, out-of-bounds memory access can occur in the Python API (Python bindings) because of an incorrect return value. This occurs in xmlPythonFileRead and xmlPythonFileReadRaw because of a difference between bytes and characters.
OSV
CVE-2025-32414: In libxml2 before 2
osv·2025-04-08·CVSS 7.5
CVE-2025-32414 [HIGH] CVE-2025-32414: In libxml2 before 2
In libxml2 before 2.13.8 and 2.14.x before 2.14.2, out-of-bounds memory access can occur in the Python API (Python bindings) because of an incorrect return value. This occurs in xmlPythonFileRead and xmlPythonFileReadRaw because of a difference between bytes and characters.
Ubuntu
libxml2 vulnerabilities
vendor_ubuntu·2025-11-27·CVSS 5.6
CVE-2025-7425 [MEDIUM] libxml2 vulnerabilities
Title: libxml2 vulnerabilities
Summary: Several security issues were fixed in libxml2.
It was discovered that the libxml2 Python bindings incorrectly handled
certain return values. An attacker could possibly use this issue to cause
libxml2 to crash, resulting in a denial of service. (CVE-2025-32414)
It was discovered that libxml2 incorrectly handled certain memory
operations. A remote attacker could possibly use this issue to cause
libxml2 to crash, resulting in a denial of service. (CVE-2025-32415)
It was discovered that libxslt, used by libxml2, incorrectly handled
certain attributes. An attacker could use this issue to cause a crash,
resulting in a denial of service, or possibly execute arbitrary code. This
update adds a fix to libxml2 to mitigate the libxslt vulnerability.
(CVE-202
Ubuntu
libxml2 vulnerabilities
vendor_ubuntu·2025-04-28·CVSS 5.6
CVE-2025-32414 [MEDIUM] libxml2 vulnerabilities
Title: libxml2 vulnerabilities
Summary: Several security issues were fixed in libxml2.
It was discovered that the libxml2 Python bindings incorrectly handled
certain return values. An attacker could possibly use this issue to cause
libxml2 to crash, resulting in a denial of service. (CVE-2025-32414)
It was discovered that libxml2 incorrectly handled certain memory
operations. A remote attacker could possibly use this issue to cause
libxml2 to crash, resulting in a denial of service. (CVE-2025-32415)
Instructions: In general, a standard system update will make all the necessary changes.
Ubuntu
libxml2 vulnerabilities
vendor_ubuntu·2025-04-28·CVSS 5.6
CVE-2025-32415 [MEDIUM] libxml2 vulnerabilities
Title: libxml2 vulnerabilities
Summary: Several security issues were fixed in libxml2.
USN-7467-1 fixed several vulnerabilities in libxml2. This update provides
the corresponding update for Ubuntu 16.04 LTS and Ubuntu 18.04 LTS.
Original advisory details:
It was discovered that the libxml2 Python bindings incorrectly handled
certain return values. An attacker could possibly use this issue to cause
libxml2 to crash, resulting in a denial of service. (CVE-2025-32414)
It was discovered that libxml2 incorrectly handled certain memory
operations. A remote attacker could possibly use this issue to cause
libxml2 to crash, resulting in a denial of service. (CVE-2025-32415)
Instructions: In general, a standard system update will make all the necessary changes.
Microsoft
In libxml2 before 2.13.8 and 2.14.x before 2.14.2, out-of-bounds memory access can occur in the Python API (Python bindings) because of an incorrect return value. This occurs in xmlPythonFileRead and
vendor_msrc·2025-04-08·CVSS 5.6
CVE-2025-32414 [MEDIUM] CWE-393 In libxml2 before 2.13.8 and 2.14.x before 2.14.2, out-of-bounds memory access can occur in the Python API (Python bindings) because of an incorrect return value. This occurs in xmlPythonFileRead and
In libxml2 before 2.13.8 and 2.14.x before 2.14.2, out-of-bounds memory access can occur in the Python API (Python bindings) because of an incorrect return value. This occurs in xmlPythonFileRead and xmlPythonFileReadRaw because of a difference between bytes and characters.
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more infor
Red Hat
libxml2: Out-of-Bounds Read in libxml2
vendor_redhat·2025-04-08·CVSS 5.6
CVE-2025-32414 [MEDIUM] CWE-393 libxml2: Out-of-Bounds Read in libxml2
libxml2: Out-of-Bounds Read in libxml2
In libxml2 before 2.13.8 and 2.14.x before 2.14.2, out-of-bounds memory access can occur in the Python API (Python bindings) because of an incorrect return value. This occurs in xmlPythonFileRead and xmlPythonFileReadRaw because of a difference between bytes and characters.
A flaw was found in libxml2. This vulnerability allows out-of-bounds memory access due to incorrect handling of return values in xmlPythonFileRead and xmlPythonFileReadRaw. This is caused by a mismatch between the length of the file in bytes vs the length in characters, as unicode characters can occupy up to 4 bytes per character.
Statement: This bug affects parsing of text streams using:
- the Python bindings (pending deprecation: https://gitlab.gnome.org/GNOME/libxml2/-/issues
Debian
CVE-2025-32414: libxml2 - In libxml2 before 2.13.8 and 2.14.x before 2.14.2, out-of-bounds memory access c...
vendor_debian·2025·CVSS 5.6
CVE-2025-32414 [MEDIUM] CVE-2025-32414: libxml2 - In libxml2 before 2.13.8 and 2.14.x before 2.14.2, out-of-bounds memory access c...
In libxml2 before 2.13.8 and 2.14.x before 2.14.2, out-of-bounds memory access can occur in the Python API (Python bindings) because of an incorrect return value. This occurs in xmlPythonFileRead and xmlPythonFileReadRaw because of a difference between bytes and characters.
Scope: local
bookworm: resolved (fixed in 2.9.14+dfsg-1.3~deb12u2)
bullseye: resolved (fixed in 2.9.10+dfsg-6.7+deb11u7)
forky: resolved (fixed in 2.12.7+dfsg+really2.9.14-1)
sid: resolved (fixed in 2.12.7+dfsg+really2.9.14-1)
trixie: resolved (fixed in 2.12.7+dfsg+really2.9.14-1)
No detection rules found.
No public exploits indexed.
2025-04-08
Published