Description
A NULL pointer dereference vulnerability was found in libxml2 when processing XPath XML expressions. This flaw allows an attacker to craft a malicious XML input to libxml2, leading to a denial of service.
Published: 2025-06-16
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service via NULL pointer dereference in libxml2
Action: Patch Update
AI Analysis

Impact

A NULL pointer dereference vulnerability exists in libxml2 when processing XPath XML expressions, allowing an attacker to craft malicious XML input that causes a denial of service by crashing the library. The flaw is a classic pointer handling weakness covered by CWE-825 and results in loss of availability for any application that relies on libxml2 to parse XML content. The impact is a denial of service on the affected process, which can ripple to higher‑level services that depend on that process, but does not directly compromise confidentiality or integrity.

Affected Systems

This issue affects Red Hat Enterprise Linux releases 6 through 10, Red Hat Hardened Images, and Red Hat JBoss Core Services 2.4.62.SP2, all of which package libxml2 in a vulnerable state. Systems running these distributions or images should verify the libxml2 component and apply the appropriate update.

Risk and Exploitability

The CVSS score of 7.5 indicates a medium‑to‑high severity for availability loss. The EPSS score is listed as <1%, suggesting that exploitation is currently unlikely in the wild, and the vulnerability is not yet catalogued in the CISA KEV list. The likely attack vector is an attacker who can provide XML input to an application or service that uses libxml2, such as a web server or XML‑processing utility. Successful exploitation would result in a service crash or restart, forcing a denial of service for users of that service.

Generated by OpenCVE AI on April 20, 2026 at 16:24 UTC.

Remediation

Vendor Workaround

Mitigation is either unavailable or does not meet Red Hat Product Security standards for usability, deployment, applicability, or stability.

OpenCVE Recommended Actions

  • Apply the Red Hat Enterprise Linux update described in RHSA-2025:10630 to upgrade libxml2 to a patched version.
  • Apply the RHSA-2025:19020 update to Red Hat JBoss Core Services to ensure libxml2 is updated to the secured release.
  • Update any Red Hat Hardened Images or container images with the latest patched image from Red Hat that includes the libxml2 fix.
  • No approved workaround is available; the only recommended approach is to apply the vendor patch.

Generated by OpenCVE AI on April 20, 2026 at 16:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-18416 A NULL pointer dereference vulnerability was found in libxml2 when processing XPath XML expressions. This flaw allows an attacker to craft a malicious XML input to libxml2, leading to a denial of service.
History

Sun, 19 Apr 2026 20:00:00 +0000

Type Values Removed Values Added
References

Tue, 14 Apr 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Redhat hummingbird
CPEs cpe:/a:redhat:hummingbird:1
Vendors & Products Redhat hummingbird
References

Mon, 27 Oct 2025 18:00:00 +0000

Type Values Removed Values Added
References

Wed, 08 Oct 2025 14:30:00 +0000

Type Values Removed Values Added
CPEs cpe:/o:redhat:rhivos:1
Vendors & Products Redhat rhivos

Wed, 01 Oct 2025 01:15:00 +0000

Type Values Removed Values Added
First Time appeared Redhat rhivos
CPEs cpe:/o:redhat:rhivos:1
Vendors & Products Redhat rhivos

Wed, 09 Jul 2025 02:45:00 +0000

Type Values Removed Values Added
CPEs cpe:/o:redhat:enterprise_linux:10 cpe:/o:redhat:enterprise_linux:10.0
References

Mon, 16 Jun 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 16 Jun 2025 15:30:00 +0000

Type Values Removed Values Added
Description No description is available for this CVE. A NULL pointer dereference vulnerability was found in libxml2 when processing XPath XML expressions. This flaw allows an attacker to craft a malicious XML input to libxml2, leading to a denial of service.
Title libxml: Null pointer dereference leads to Denial of service (DoS) Libxml: null pointer dereference leads to denial of service (dos)
First Time appeared Redhat
Redhat enterprise Linux
Redhat jboss Core Services
CPEs cpe:/a:redhat:jboss_core_services:1
cpe:/o:redhat:enterprise_linux:10
cpe:/o:redhat:enterprise_linux:6
cpe:/o:redhat:enterprise_linux:7
cpe:/o:redhat:enterprise_linux:8
cpe:/o:redhat:enterprise_linux:9
Vendors & Products Redhat
Redhat enterprise Linux
Redhat jboss Core Services
References

Sat, 14 Jun 2025 14:45:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H'}

 cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Thu, 12 Jun 2025 15:15:00 +0000

Type Values Removed Values Added
Description No description is available for this CVE.
Title libxml: Null pointer dereference leads to Denial of service (DoS)
Weaknesses CWE-825
References
Metrics threat_severity

None

 cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H'}

threat_severity

Important

Subscriptions

Redhat Enterprise Linux Hummingbird Jboss Core Services
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-04-19T19:34:57.055Z

Reserved: 2025-06-10T22:17:05.286Z

Link: CVE-2025-49795

cve-icon Vulnrichment

Updated: 2025-06-16T15:30:31.217Z

cve-icon NVD

Status : Deferred

Published: 2025-06-16T16:15:19.203

Modified: 2026-04-19T20:16:21.540

Link: CVE-2025-49795

cve-icon Redhat

Severity : Important

Publid Date: 2025-06-11T00:00:00Z

Links: CVE-2025-49795 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T16:30:06Z

Weaknesses