Description In libxml2 before 2.13.8 and 2.14.x before 2.14.2, xmlSchemaIDCFillNodeTables in xmlschemas.c has a heap-based buffer under-read. To exploit this, a crafted XML document must be validated against an XML schema with certain identity constraints, or a crafted XML schema must be used.
CVSS vector CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L Exploitability: 1.4 | Impact: 1.4 Attack Vector: Local
Complexity: High
Privileges: None
User Interaction: None
Scope: Unchanged
Confidentiality: None
Integrity: None
Availability: Low
Affected Packages5 packages ▶ Debian libxml2 < 2.9.10+dfsg-6.7+deb11u7 +3 ▶ Ubuntu libxml2 < 2.9.10+dfsg-5ubuntu0.20.04.10 +3
🔴 Vulnerability Details8 OSV libxml2 vulnerabilities ↗ 2025-11-27 ▶ OSV libxml2 vulnerabilities ↗ 2025-04-28 ▶ OSV libxml2 vulnerabilities ↗ 2025-04-28 ▶ GHSA Nokogiri updates packaged libxml2 to v2.13.8 to resolve CVE-2025-32414 and CVE-2025-32415 ↗ 2025-04-21 ▶ OSV Nokogiri updates packaged libxml2 to v2.13.8 to resolve CVE-2025-32414 and CVE-2025-32415 ↗ 2025-04-21 ▶ Show 3 more
📋 Vendor Advisories8 Ubuntu libxml2 vulnerabilities ↗ 2025-11-27 ▶ Oracle Oracle Oracle Communications Applications Risk Matrix: Core (libxml2) — CVE-2025-32415 ↗ 2025-10-15 ▶ Oracle Oracle Oracle MySQL Risk Matrix: MySQL Workbench (libxml2) — CVE-2025-32415 ↗ 2025-07-15 ▶ Ubuntu libxml2 vulnerabilities ↗ 2025-04-28 ▶ Ubuntu libxml2 vulnerabilities ↗ 2025-04-28 ▶ Show 3 more
💬 Community2 Bugzilla CVE-2025-32415 qt5-qtwebengine: Out-of-bounds Read in xmlSchemaIDCFillNodeTables [fedora-40] ↗ 2025-04-18 ▶ Bugzilla CVE-2025-32415 pcem: Out-of-bounds Read in xmlSchemaIDCFillNodeTables [fedora-40] ↗ 2025-04-18 ▶