CVE-2025-49794
published 2025-06-16CVE-2025-49794: A use-after-free vulnerability was found in libxml2. This issue occurs when parsing XPath elements under certain circumstances when the XML schematron has the…
PriorityP350critical9.1CVSS 3.1
AVNACLPRNUINSUCNIHAH
EPSS
0.67%
47.3th percentile
A use-after-free vulnerability was found in libxml2. This issue occurs when parsing XPath elements under certain circumstances when the XML schematron has the schema elements. This flaw allows a malicious actor to craft a malicious XML document used as input for libxml, resulting in the program's crash using libxml or other possible undefined behaviors.
Affected
15 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | libxml2 | < libxml2 2.9.14+dfsg-1.3~deb12u3 (bookworm) | libxml2 2.9.14+dfsg-1.3~deb12u3 (bookworm) |
| msrc | azl3_libxml2_2.11.5-6_on_azure_linux_3.0 | — | — |
| msrc | cbl2_libxml2_2.10.4-8_on_cbl_mariner_2.0 | — | — |
| msrc | cm2_libxml2_2.10.4-8_on_cbl_mariner_2.0 | — | — |
| nokogiri | nokogiri | >= 0 < 1.18.9 | 1.18.9 |
| xmlsoft | libxml2 | >= 0 < 2.9.10+dfsg-6.7+deb11u8 | 2.9.10+dfsg-6.7+deb11u8 |
| xmlsoft | libxml2 | >= 0 < 2.9.14+dfsg-1.3~deb12u3 | 2.9.14+dfsg-1.3~deb12u3 |
| xmlsoft | libxml2 | >= 0 < 2.12.7+dfsg+really2.9.14-2 | 2.12.7+dfsg+really2.9.14-2 |
| xmlsoft | libxml2 | >= 0 < 2.12.7+dfsg+really2.9.14-2 | 2.12.7+dfsg+really2.9.14-2 |
| xmlsoft | libxml2 | >= 0 < 2.9.13+dfsg-1ubuntu0.8 | 2.9.13+dfsg-1ubuntu0.8 |
| xmlsoft | libxml2 | >= 0 < 2.9.14+dfsg-1.3ubuntu3.4 | 2.9.14+dfsg-1.3ubuntu3.4 |
| xmlsoft | libxml2 | >= 0 < 2.9.1+dfsg1-3ubuntu4.13+esm8 | 2.9.1+dfsg1-3ubuntu4.13+esm8 |
| xmlsoft | libxml2 | >= 0 < 2.9.3+dfsg1-1ubuntu0.7+esm9 | 2.9.3+dfsg1-1ubuntu0.7+esm9 |
| xmlsoft | libxml2 | >= 0 < 2.9.4+dfsg1-6.1ubuntu1.9+esm4 | 2.9.4+dfsg1-6.1ubuntu1.9+esm4 |
| xmlsoft | libxml2 | >= 0 < 2.9.10+dfsg-5ubuntu0.20.04.10+esm1 | 2.9.10+dfsg-5ubuntu0.20.04.10+esm1 |
CVSS provenance
nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
ghsa9.1CRITICAL
osv9.1CRITICAL
vendor_debian9.1CRITICAL
vendor_msrc9.1CRITICAL
vendor_redhat9.1CRITICAL
vendor_ubuntu9.1CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
libxml2 vulnerabilities
osv·2025-08-14·CVSS 9.1
CVE-2025-6021 [CRITICAL] libxml2 vulnerabilities
libxml2 vulnerabilities
Ahmed Lekssays discovered that libxml2 did not properly perform certain
mathematical operations, leading to an integer overflow. An attacker
could possibly use this issue to cause a crash, resulting in a denial of
service, or possibly execute arbitrary code. (CVE-2025-6021)
Ahmed Lekssays discovered that libxml2 did not properly validate the size
of an untrusted input stream. An attacker could possibly use this issue
to cause a crash, resulting in a denial of service, or possibly execute
arbitrary code. (CVE-2025-6170)
Nikita Sveshnikov discovered that libxml2 did not properly handle certain
XPath expressions, leading to a use-after-free vulnerability. An attacker
could potentially exploit this issue to cause a denial of service.
(CVE-2025-49794)
Nikita Sveshnik
OSV
Nokogiri patches vendored libxml2 to resolve multiple CVEs
osv·2025-07-21·CVSS 9.1
CVE-2025-6021 [CRITICAL] Nokogiri patches vendored libxml2 to resolve multiple CVEs
Nokogiri patches vendored libxml2 to resolve multiple CVEs
## Summary
Nokogiri v1.18.9 patches the vendored libxml2 to address CVE-2025-6021, CVE-2025-6170, CVE-2025-49794, CVE-2025-49795, and CVE-2025-49796.
## Impact and severity
### CVE-2025-6021
A flaw was found in libxml2's xmlBuildQName function, where integer overflows in buffer size calculations can lead to a stack-based buffer overflow. This issue can result in memory corruption or a denial of service when processing crafted input.
NVD claims a severity of 7.5 High (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Fixed by applying https://gitlab.gnome.org/GNOME/libxml2/-/commit/17d950ae
### CVE-2025-6170
A flaw was found in the interactive shell of the xmllint command-line tool, used for parsing XML files. When a user input
GHSA
Nokogiri patches vendored libxml2 to resolve multiple CVEs
ghsa·2025-07-21·CVSS 9.1
CVE-2025-6021 [CRITICAL] Nokogiri patches vendored libxml2 to resolve multiple CVEs
Nokogiri patches vendored libxml2 to resolve multiple CVEs
## Summary
Nokogiri v1.18.9 patches the vendored libxml2 to address CVE-2025-6021, CVE-2025-6170, CVE-2025-49794, CVE-2025-49795, and CVE-2025-49796.
## Impact and severity
### CVE-2025-6021
A flaw was found in libxml2's xmlBuildQName function, where integer overflows in buffer size calculations can lead to a stack-based buffer overflow. This issue can result in memory corruption or a denial of service when processing crafted input.
NVD claims a severity of 7.5 High (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Fixed by applying https://gitlab.gnome.org/GNOME/libxml2/-/commit/17d950ae
### CVE-2025-6170
A flaw was found in the interactive shell of the xmllint command-line tool, used for parsing XML files. When a user input
OSV
CVE-2025-49794: A use-after-free vulnerability was found in libxml2
osv·2025-06-16·CVSS 9.1
CVE-2025-49794 [CRITICAL] CVE-2025-49794: A use-after-free vulnerability was found in libxml2
A use-after-free vulnerability was found in libxml2. This issue occurs when parsing XPath elements under certain circumstances when the XML schematron has the schema elements. This flaw allows a malicious actor to craft a malicious XML document used as input for libxml, resulting in the program's crash using libxml or other possible undefined behaviors.
GHSA
GHSA-qg4c-8pj4-qgw2: A use-after-free vulnerability was found in libxml2
ghsa_unreviewed·2025-06-16
CVE-2025-49794 [CRITICAL] CWE-825 GHSA-qg4c-8pj4-qgw2: A use-after-free vulnerability was found in libxml2
A use-after-free vulnerability was found in libxml2. This issue occurs when parsing XPath elements under certain circumstances when the XML schematron has the schema elements. This flaw allows a malicious actor to craft a malicious XML document used as input for libxml, resulting in the program's crash using libxml or other possible undefined behaviors.
Ubuntu
libxml2 vulnerabilities
vendor_ubuntu·2025-08-14·CVSS 9.1
CVE-2025-6021 [CRITICAL] libxml2 vulnerabilities
Title: libxml2 vulnerabilities
Summary: Several security issues were fixed in libxml2.
Ahmed Lekssays discovered that libxml2 did not properly perform certain
mathematical operations, leading to an integer overflow. An attacker
could possibly use this issue to cause a crash, resulting in a denial of
service, or possibly execute arbitrary code. (CVE-2025-6021)
Ahmed Lekssays discovered that libxml2 did not properly validate the size
of an untrusted input stream. An attacker could possibly use this issue
to cause a crash, resulting in a denial of service, or possibly execute
arbitrary code. (CVE-2025-6170)
Nikita Sveshnikov discovered that libxml2 did not properly handle certain
XPath expressions, leading to a use-after-free vulnerability. An attacker
could potentially exploit this issue
Red Hat
libxml: Heap use after free (UAF) leads to Denial of service (DoS)
vendor_redhat·2025-06-10·CVSS 9.1
CVE-2025-49794 [CRITICAL] CWE-825 libxml: Heap use after free (UAF) leads to Denial of service (DoS)
libxml: Heap use after free (UAF) leads to Denial of service (DoS)
A use-after-free vulnerability was found in libxml2. This issue occurs when parsing XPath elements under certain circumstances when the XML schematron has the schema elements. This flaw allows a malicious actor to craft a malicious XML document used as input for libxml, resulting in the program's crash using libxml or other possible undefined behaviors.
A use-after-free vulnerability was found in libxml2. This issue occurs when parsing XPath elements under certain circumstances when the XML schematron has the schema elements. This flaw allows a malicious actor to craft a malicious XML document used as input for libxml, resulting in the program's crash using libxml or other possible undefined behaviors.
Statement: This is
Microsoft
Libxml: heap use after free (uaf) leads to denial of service (dos)
vendor_msrc·2025-06-10·CVSS 9.1
CVE-2025-49794 [CRITICAL] CWE-825 Libxml: heap use after free (uaf) leads to denial of service (dos)
Libxml: heap use after free (uaf) leads to denial of service (dos)
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
redhat: redhat
Customer Action Required: Yes
Remediation: CBL-Mariner Releases
Reference:
Debian
CVE-2025-49794: libxml2 - A use-after-free vulnerability was found in libxml2. This issue occurs when pars...
vendor_debian·2025·CVSS 9.1
CVE-2025-49794 [CRITICAL] CVE-2025-49794: libxml2 - A use-after-free vulnerability was found in libxml2. This issue occurs when pars...
A use-after-free vulnerability was found in libxml2. This issue occurs when parsing XPath elements under certain circumstances when the XML schematron has the schema elements. This flaw allows a malicious actor to craft a malicious XML document used as input for libxml, resulting in the program's crash using libxml or other possible undefined behaviors.
Scope: local
bookworm: resolved (fixed in 2.9.14+dfsg-1.3~deb12u3)
bullseye: resolved (fixed in 2.9.10+dfsg-6.7+deb11u8)
forky: resolved (fixed in 2.12.7+dfsg+really2.9.14-2)
sid: resolved (fixed in 2.12.7+dfsg+really2.9.14-2)
trixie: resolved (fixed in 2.12.7+dfsg+really2.9.14-2)
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2025-49794 qt5-qtwebengine: Heap use after free (UAF) leads to Denial of service (DoS) [fedora-42]
bugzilla·2025-09-02·CVSS 9.1
CVE-2025-49794 [CRITICAL] CVE-2025-49794 qt5-qtwebengine: Heap use after free (UAF) leads to Denial of service (DoS) [fedora-42]
CVE-2025-49794 qt5-qtwebengine: Heap use after free (UAF) leads to Denial of service (DoS) [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
The following link provides references to all essential vulnerability management information. If something is wrong or missing, please contact a member of PSIRT.
https://spaces.redhat.com/display/PRODSEC/Vulnerability+Management+-+Essential+Documents+for+Engineering+Teams
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to
Bugzilla
CVE-2025-49794 pcem: Heap use after free (UAF) leads to Denial of service (DoS) [fedora-42]
bugzilla·2025-09-02·CVSS 9.1
CVE-2025-49794 [CRITICAL] CVE-2025-49794 pcem: Heap use after free (UAF) leads to Denial of service (DoS) [fedora-42]
CVE-2025-49794 pcem: Heap use after free (UAF) leads to Denial of service (DoS) [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
The following link provides references to all essential vulnerability management information. If something is wrong or missing, please contact a member of PSIRT.
https://spaces.redhat.com/display/PRODSEC/Vulnerability+Management+-+Essential+Documents+for+Engineering+Teams
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all
Bugzilla
CVE-2025-49794 mingw-libxml2: Heap use after free (UAF) leads to Denial of service (DoS) [fedora-42]
bugzilla·2025-06-12·CVSS 9.1
CVE-2025-49794 [CRITICAL] CVE-2025-49794 mingw-libxml2: Heap use after free (UAF) leads to Denial of service (DoS) [fedora-42]
CVE-2025-49794 mingw-libxml2: Heap use after free (UAF) leads to Denial of service (DoS) [fedora-42]
More information about this security flaw is available in the following bug:
https://bugzilla.redhat.com/show_bug.cgi?id=2372373
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
'versio
Bugzilla
CVE-2025-49794 libxml2: Heap use after free (UAF) leads to Denial of service (DoS) [fedora-42]
bugzilla·2025-06-12·CVSS 9.1
CVE-2025-49794 [CRITICAL] CVE-2025-49794 libxml2: Heap use after free (UAF) leads to Denial of service (DoS) [fedora-42]
CVE-2025-49794 libxml2: Heap use after free (UAF) leads to Denial of service (DoS) [fedora-42]
More information about this security flaw is available in the following bug:
https://bugzilla.redhat.com/show_bug.cgi?id=2372373
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
'version' of
Bugzilla
CVE-2025-49794 libxml: Heap use after free (UAF) leads to Denial of service (DoS)
bugzilla·2025-06-12·CVSS 9.1
CVE-2025-49794 [CRITICAL] CVE-2025-49794 libxml: Heap use after free (UAF) leads to Denial of service (DoS)
CVE-2025-49794 libxml: Heap use after free (UAF) leads to Denial of service (DoS)
A Heap Use After Free (UAF) vulnerability was discovered in the Schematron in the libxml2. The issue arises in the xmlSchematronGetNode function when processing XPath expressions in Schematron schema elements , where a pointer to freed memory is returned and then accessed, leading to undefined behavior and potential crashes.
Discussion:
This issue has been addressed in the following products:
Red Hat Enterprise Linux 10
Via RHSA-2025:10630 https://access.redhat.com/errata/RHSA-2025:10630
---
This issue has been addressed in the following products:
Red Hat Enterprise Linux 8
Via RHSA-2025:10698 https://access.redhat.com/errata/RHSA-2025:10698
---
This issue has been addressed in the following produc
https://access.redhat.com/errata/RHSA-2025:10630https://access.redhat.com/errata/RHSA-2025:10698https://access.redhat.com/errata/RHSA-2025:10699https://access.redhat.com/errata/RHSA-2025:11580https://access.redhat.com/errata/RHSA-2025:12098https://access.redhat.com/errata/RHSA-2025:12099https://access.redhat.com/errata/RHSA-2025:12199https://access.redhat.com/errata/RHSA-2025:12237https://access.redhat.com/errata/RHSA-2025:12239https://access.redhat.com/errata/RHSA-2025:12240https://access.redhat.com/errata/RHSA-2025:12241https://access.redhat.com/errata/RHSA-2025:13335https://access.redhat.com/errata/RHSA-2025:15397https://access.redhat.com/errata/RHSA-2025:15827https://access.redhat.com/errata/RHSA-2025:15828https://access.redhat.com/errata/RHSA-2025:18217https://access.redhat.com/errata/RHSA-2025:18218https://access.redhat.com/errata/RHSA-2025:18219https://access.redhat.com/errata/RHSA-2025:18240https://access.redhat.com/errata/RHSA-2025:19020https://access.redhat.com/errata/RHSA-2025:19041https://access.redhat.com/errata/RHSA-2025:19046https://access.redhat.com/errata/RHSA-2025:19894https://access.redhat.com/errata/RHSA-2025:21913https://access.redhat.com/errata/RHSA-2026:0934https://access.redhat.com/errata/RHSA-2026:7519https://access.redhat.com/security/cve/CVE-2025-49794https://bugzilla.redhat.com/show_bug.cgi?id=2372373https://gitlab.gnome.org/GNOME/libxml2/-/issues/931https://lists.debian.org/debian-lts-announce/2025/07/msg00014.htmlhttps://cert-portal.siemens.com/productcert/html/ssa-253495.htmlhttps://cert-portal.siemens.com/productcert/html/ssa-577017.html
2025-06-16
Published