CVE-2025-49794

Libxml: heap use after free (uaf) leads to denial of service (dos)

Severity Score

9.1

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Attend

*SSVC

Descriptions

A use-after-free vulnerability was found in libxml2. This issue occurs when parsing XPath elements under certain circumstances when the XML schematron has the <sch:name path="..."/> schema elements. This flaw allows a malicious actor to craft a malicious XML document used as input for libxml, resulting in the program's crash using libxml or other possible undefined behaviors.

Ahmed Lekssays discovered that libxml2 did not properly perform certain mathematical operations, leading to an integer overflow. An attacker could possibly use this issue to cause a crash, resulting in a denial of service, or possibly execute arbitrary code. Ahmed Lekssays discovered that libxml2 did not properly validate the size of an untrusted input stream. An attacker could possibly use this issue to cause a crash, resulting in a denial of service, or possibly execute arbitrary code.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

None

Integrity

Complete

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:Attend

Exploitation

None

Automatable

Yes

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2025-06-10 CVE Reserved
2025-06-16 CVE Published
2026-04-22 EPSS Updated
2026-05-12 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-825: Expired Pointer Dereference

CAPEC

References (29)

URL	Tag	Source
https://gitlab.gnome.org/GNOME/libxml2/-/issues/931

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://access.redhat.com/security/cve/CVE-2025-49794	2025-06-16
https://bugzilla.redhat.com/show_bug.cgi?id=2372373	2025-06-16
https://access.redhat.com/errata/RHSA-2025:10630	2026-05-12
https://access.redhat.com/errata/RHSA-2025:10698	2026-05-12
https://access.redhat.com/errata/RHSA-2025:10699	2026-05-12
https://access.redhat.com/errata/RHSA-2025:11580	2026-05-12
https://access.redhat.com/errata/RHSA-2025:12098	2026-05-12
https://access.redhat.com/errata/RHSA-2025:12099	2026-05-12
https://access.redhat.com/errata/RHSA-2025:12199	2026-05-12
https://access.redhat.com/errata/RHSA-2025:12237	2026-05-12
https://access.redhat.com/errata/RHSA-2025:12239	2026-05-12
https://access.redhat.com/errata/RHSA-2025:12240	2026-05-12
https://access.redhat.com/errata/RHSA-2025:12241	2026-05-12
https://access.redhat.com/errata/RHSA-2025:13335	2026-05-12
https://access.redhat.com/errata/RHSA-2025:15397	2026-05-12
https://access.redhat.com/errata/RHSA-2025:15827	2026-05-12
https://access.redhat.com/errata/RHSA-2025:15828	2026-05-12
https://access.redhat.com/errata/RHSA-2025:18217	2026-05-12
https://access.redhat.com/errata/RHSA-2025:18218	2026-05-12
https://access.redhat.com/errata/RHSA-2025:18219	2026-05-12
https://access.redhat.com/errata/RHSA-2025:18240	2026-05-12
https://access.redhat.com/errata/RHSA-2025:19020	2026-05-12
https://access.redhat.com/errata/RHSA-2025:19041	2026-05-12
https://access.redhat.com/errata/RHSA-2025:19046	2026-05-12
https://access.redhat.com/errata/RHSA-2025:19894	2026-05-12
https://access.redhat.com/errata/RHSA-2025:21913	2026-05-12
https://access.redhat.com/errata/RHSA-2026:0934	2026-05-12
https://access.redhat.com/errata/RHSA-2026:7519	2026-05-12

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Centos Search vendor "Centos"		Centos Search vendor "Centos" for product "Centos"				*		-		Affected
Oracle Search vendor "Oracle"		Linux Search vendor "Oracle" for product "Linux"				*		-		Affected
Red Hat Search vendor "Red Hat"		Enterprise Linux Search vendor "Red Hat" for product "Enterprise Linux"				*		-		Affected
Redhat Search vendor "Redhat"		Cert-manager Operator For Red Hat Openshift Search vendor "Redhat" for product "Cert-manager Operator For Red Hat Openshift"				*		-		Affected
Redhat Search vendor "Redhat"		Cert Manager Search vendor "Redhat" for product "Cert Manager"				*		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux"				*		-		Affected
Redhat Search vendor "Redhat"		Insights Proxy Search vendor "Redhat" for product "Insights Proxy"				*		-		Affected
Redhat Search vendor "Redhat"		Jboss Core Services Search vendor "Redhat" for product "Jboss Core Services"				*		-		Affected
Redhat Search vendor "Redhat"		Openshift Search vendor "Redhat" for product "Openshift"				*		-		Affected
Redhat Search vendor "Redhat"		Openshift File Integrity Operator Search vendor "Redhat" for product "Openshift File Integrity Operator"				*		-		Affected
Redhat Search vendor "Redhat"		Rhel Aus Search vendor "Redhat" for product "Rhel Aus"				*		-		Affected
Redhat Search vendor "Redhat"		Rhel E4s Search vendor "Redhat" for product "Rhel E4s"				*		-		Affected
Redhat Search vendor "Redhat"		Rhel Eus Search vendor "Redhat" for product "Rhel Eus"				*		-		Affected
Redhat Search vendor "Redhat"		Rhel Eus Long Life Search vendor "Redhat" for product "Rhel Eus Long Life"				*		-		Affected
Redhat Search vendor "Redhat"		Rhel Tus Search vendor "Redhat" for product "Rhel Tus"				*		-		Affected
Redhat Search vendor "Redhat"		Web Terminal Search vendor "Redhat" for product "Web Terminal"				*		-		Affected
Redhat Search vendor "Redhat"		Webterminal Search vendor "Redhat" for product "Webterminal"				*		-		Affected
F5 Search vendor "F5"		Big-ip Search vendor "F5" for product "Big-ip"				*		-		Affected
Alma Search vendor "Alma"		Linux Search vendor "Alma" for product "Linux"				*		-		Affected
Amazon Search vendor "Amazon"		Linux Search vendor "Amazon" for product "Linux"				*		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				*		-		Affected
Freebsd Search vendor "Freebsd"		Freebsd Search vendor "Freebsd" for product "Freebsd"				*		-		Affected
Huawei Search vendor "Huawei"		Euleros Search vendor "Huawei" for product "Euleros"				*		-		Affected
Nutanix Search vendor "Nutanix"		Ahv Search vendor "Nutanix" for product "Ahv"				*		-		Affected
Nutanix Search vendor "Nutanix"		Aos Search vendor "Nutanix" for product "Aos"				*		-		Affected
Opensuse Search vendor "Opensuse"		Leap Search vendor "Opensuse" for product "Leap"				*		-		Affected
Oracle Search vendor "Oracle"		Linux Search vendor "Oracle" for product "Linux"				*		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux"				*		-		Affected
Redhat Search vendor "Redhat"		Openshift Search vendor "Redhat" for product "Openshift"				*		-		Affected
Redhat Search vendor "Redhat"		Rhel Aus Search vendor "Redhat" for product "Rhel Aus"				*		-		Affected
Redhat Search vendor "Redhat"		Rhel E4s Search vendor "Redhat" for product "Rhel E4s"				*		-		Affected
Redhat Search vendor "Redhat"		Rhel Els Search vendor "Redhat" for product "Rhel Els"				*		-		Affected
Redhat Search vendor "Redhat"		Rhel Eus Search vendor "Redhat" for product "Rhel Eus"				*		-		Affected
Redhat Search vendor "Redhat"		Rhel Eus Long Life Search vendor "Redhat" for product "Rhel Eus Long Life"				*		-		Affected
Redhat Search vendor "Redhat"		Rhel Tus Search vendor "Redhat" for product "Rhel Tus"				*		-		Affected
Rocky Search vendor "Rocky"		Linux Search vendor "Rocky" for product "Linux"				*		-		Affected
Slackware Search vendor "Slackware"		Slackware Linux Search vendor "Slackware" for product "Slackware Linux"				*		-		Affected
Suse Search vendor "Suse"		Sle-module-basesystem Search vendor "Suse" for product "Sle-module-basesystem"				*		-		Affected
Suse Search vendor "Suse"		Sle-module-python3 Search vendor "Suse" for product "Sle-module-python3"				*		-		Affected
Suse Search vendor "Suse"		Sle Hpc-espos Search vendor "Suse" for product "Sle Hpc-espos"				*		-		Affected
Suse Search vendor "Suse"		Sle Hpc-ltss Search vendor "Suse" for product "Sle Hpc-ltss"				*		-		Affected
Suse Search vendor "Suse"		Sle Hpc Search vendor "Suse" for product "Sle Hpc"				*		-		Affected
Suse Search vendor "Suse"		Sled Search vendor "Suse" for product "Sled"				*		-		Affected
Suse Search vendor "Suse"		Sles-ltss-extended-security Search vendor "Suse" for product "Sles-ltss-extended-security"				*		-		Affected
Suse Search vendor "Suse"		Sles-ltss Search vendor "Suse" for product "Sles-ltss"				*		-		Affected
Suse Search vendor "Suse"		Sles Search vendor "Suse" for product "Sles"				*		-		Affected
Suse Search vendor "Suse"		Sles Sap Search vendor "Suse" for product "Sles Sap"				*		-		Affected
Suse Search vendor "Suse"		Suse-manager-proxy Search vendor "Suse" for product "Suse-manager-proxy"				*		-		Affected
Suse Search vendor "Suse"		Suse-manager-server Search vendor "Suse" for product "Suse-manager-server"				*		-		Affected
Tencent Search vendor "Tencent"		Tencentos Server Search vendor "Tencent" for product "Tencentos Server"				*		-		Affected
Uos Search vendor "Uos"		Uos Server 20 Search vendor "Uos" for product "Uos Server 20"				*		-		Affected