As discussed in https://gitlab.gnome.org/GNOME/libxml2/-/issues/913 the security policy of libxml2 has been changed to disclose vulnerabilities before fixes are available so that people other than the maintainer can contribute to fixing security issues in this library.
As part of this, the following 5 CVE's have been disclosed recently: (CVE-2025-49794) Heap use after free (UAF) leads to Denial of service (DoS) https://gitlab.gnome.org/GNOME/libxml2/-/issues/931 Description: A Heap Use After Free (UAF) vulnerability was discovered in the Schematron in the libxml2. The issue arises in the xmlSchematronGetNode function when processing XPath expressions in Schematron schema elements <sch:name path="..."/>, where a pointer to freed memory is returned and then accessed, leading to undefined behavior and potential crashes. Vulnerable component: The xmlSchematronGetNode function extracts a pointer to a node from an XPath node set and then immediately frees the entire XPath object containing that node set, rendering the returned pointer invalid. Researcher: Nikita Sveshnikov (Positive Technologies) (CVE-2025-49795) Null pointer dereference leads to Denial of service (DoS) https://gitlab.gnome.org/GNOME/libxml2/-/issues/932 Description: A null pointer dereference vulnerability was discovered in the libxml2. The issue occurs in the xmlSchematronFormatReport function when processing incorrect XPath expressions in Schematron schema reports, leading to undefined behavior and potential crashes. Vulnerable component: The xmlXPathCompiledEval() function can return NULL when evaluating invalid XPath expressions, but the code immediately dereferences the returned pointer without checking for NULL. Researcher: Nikita Sveshnikov (Positive Technologies) (CVE-2025-49796) Type confusion leads to Denial of service (DoS) https://gitlab.gnome.org/GNOME/libxml2/-/issues/933 Description: a vulnerability causing undefined behavior was discovered in the Schematron in the libxml2. The issue arises in the xmlSchematronFormatReport function when processing sch:name elements, leading to memory corruption and undefined behavior when accessing namespace information. Vulnerable component: Memory corruption occurs during namespace processing, resulting in the assignment of a corrupted pointer (0xffffffffffffffff) to node->ns. When the code attempts to access node->ns->prefix, it dereferences this invalid pointer, causing undefined behavior. Researcher: Nikita Sveshnikov (Positive Technologies) For all three of the above, note that upstream is considering removing Schematron support completely, as discussed in https://gitlab.gnome.org/GNOME/libxml2/-/issues/935 . (CVE-2025-6021) Integer Overflow Leading to Buffer Overflow in xmlBuildQName() https://gitlab.gnome.org/GNOME/libxml2/-/issues/926 Description: The xmlBuildQName function in tree.c is vulnerable to an integer overflow when calculating the required buffer size for concatenating a prefix and a local name (ncname). The lengths of ncname and prefix are retrieved using strlen (which returns size_t) but are then implicitly cast to int variables lenn and lenp. Discovered by: Ahmed Lekssays (Qatar Computing Research Institute) Fix: https://gitlab.gnome.org/GNOME/libxml2/-/commit/acbbeef9f5dcdcc901c (CVE-2025-6170) Stack-based Buffer Overflow in xmllint Shell https://gitlab.gnome.org/GNOME/libxml2/-/issues/941 Summary: A stack-based buffer overflow vulnerability exists in the command-parsing logic of the interactive shell in xmllint. An attacker can supply an overly long argument to any shell command, triggering an unbounded memory copy that overflows a fixed-size buffer on the stack. This leads to a reliable Denial of Service and could be leveraged for Arbitrary Code Execution on systems without exploit mitigations. Discovered by: Ahmed Lekssays (Qatar Computing Research Institute) BTW, users of libxml2 may also be using its sibling project, libxslt, which currently has no active maintainer, but has three unfixed security issues reported against it according to https://gitlab.gnome.org/Teams/Releng/security/-/wikis/2025#libxml2-and-libxslt -- -Alan Coopersmith- alan.coopersm...@oracle.com Oracle Solaris Engineering - https://blogs.oracle.com/solaris
