Nixpkgs Security Tracker

Login with GitHub

Suggestion detail

Untriaged
(browse all)
Permalink CVE-2025-49794
created 5 months ago
Libxml: heap use after free (uaf) leads to denial of service (dos)

A use-after-free vulnerability was found in libxml2. This issue occurs when parsing XPath elements under certain circumstances when the XML schematron has the <sch:name path="..."/> schema elements. This flaw allows a malicious actor to craft a malicious XML document used as input for libxml, resulting in the program's crash using libxml or other possible undefined behaviors.

Affected products

rhcos
  • *
libxml2
  • <2.15.0
  • *
Red Hat JBoss Core Services 2.4.62.SP2
web-terminal/web-terminal-tooling-rhel9
  • *
cert-manager/jetstack-cert-manager-rhel9
  • *
web-terminal/web-terminal-rhel9-operator
  • *
openshift-serverless-1/logic-rhel8-operator
  • *
openshift-serverless-1/logic-operator-bundle
  • *
insights-proxy/insights-proxy-container-rhel9
  • *
openshift-serverless-1/logic-swf-builder-rhel8
  • *
openshift-serverless-1/logic-swf-devmode-rhel8
  • *
compliance/openshift-file-integrity-rhel8-operator
  • *
openshift-serverless-1/logic-db-migrator-tool-rhel8
  • *
openshift-serverless-1/logic-management-console-rhel8
  • *
openshift-serverless-1/logic-data-index-ephemeral-rhel8
  • *
openshift-serverless-1/logic-data-index-postgresql-rhel8
  • *
openshift-serverless-1/logic-jobs-service-ephemeral-rhel8
  • *
openshift-serverless-1/logic-jobs-service-postgresql-rhel8
  • *
openshift-serverless-1/logic-kn-workflow-cli-artifacts-rhel8
  • *
registry.redhat.io/insights-proxy/insights-proxy-container-rhel9
  • *

Matching in nixpkgs

pkgs.libxml2

XML parsing library for C

  • nixos-unstable -

Package maintainers