CVE-2025-49794
BaseFortify
Publication date: 2025-06-16
Last updated on: 2026-04-19
Assigner: Red Hat, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-825 | The product dereferences a pointer that contains a location for memory that was previously valid, but is no longer valid. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-49794 is a use-after-free vulnerability in the libxml2 library's Schematron component. It happens when parsing XPath elements in XML schematron schema elements like <sch:name path="..."/>. The function xmlSchematronGetNode returns a pointer to memory that has already been freed, leading to undefined behavior such as application crashes or denial of service. [1]
How can this vulnerability impact me? :
This vulnerability can cause applications using libxml2 to crash or behave unpredictably when processing maliciously crafted XML documents. This can lead to denial of service (DoS), potentially disrupting services or applications relying on libxml2 for XML parsing. [1]
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should update libxml2 to a patched version provided by your Linux distribution vendor as soon as possible. Avoid processing untrusted XML documents containing Schematron elements with XPath expressions until the update is applied. Monitoring for application crashes related to libxml2 when parsing XML may help identify exploitation attempts. [1]