Description
A flaw was found in the libxslt library. The same memory field, psvi, is used for both stylesheet and input data, which can lead to type confusion during XML transformations. This vulnerability allows an attacker to crash the application or corrupt memory. In some cases, it may lead to denial of service or unexpected behavior.
Published: 2025-07-10
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service and potential memory corruption via type confusion in libxslt
Action: Patch Immediately
AI Analysis

Impact

The flaw in libxslt arises because the memory field psvi is reused for both stylesheet and input data. This improper type handling can lead to an attacker causing the library to misinterpret data, resulting in memory corruption or an application crash. The impact may manifest as a denial of service or unexpected behavior in programs that rely on XML transformations.

Affected Systems

Affected platforms include GNOME's libxslt and several Red Hat distributions (RHEL 6 through RHEL 10, Red Hat Hardened Images, and Red Hat OpenShift Container Platform 4). The advisory does not list specific version numbers, but any system that contains the vulnerable libxslt release is potentially at risk.

Risk and Exploitability

With a CVSS score of 7.5 the vulnerability is considered high risk, yet the EPSS score of less than 1% indicates a low probability that it is actively exploited in the wild. It is not currently listed in the CISA KEV catalog. An attacker could trigger the flaw by delivering crafted XML to any service that processes data with libxslt, potentially causing a crash or memory corruption. No public exploit has been disclosed at the time of this analysis.

Generated by OpenCVE AI on April 20, 2026 at 16:20 UTC.

Remediation

Vendor Workaround

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.

OpenCVE Recommended Actions

  • Update the libxslt package to the version released in the Red Hat Security Advisory RHBA‑2025:12345 on all affected RHEL installations.
  • Ensure GNOME libxslt is upgraded to the patched version using the distribution’s package manager or by compiling the updated source from the vendor’s repository.
  • If an immediate upgrade cannot be performed, constrain or sandbox XML processing components to limit exposure to untrusted XML payloads, thereby mitigating the risk of triggering the type‑confusion flaw.

Generated by OpenCVE AI on April 20, 2026 at 16:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4309-1 libxslt security update
Debian DSA Debian DSA DSA-5979-1 libxslt security update
EUVD EUVD EUVD-2025-20995 A flaw was found in the libxslt library. The same memory field, psvi, is used for both stylesheet and input data, which can lead to type confusion during XML transformations. This vulnerability allows an attacker to crash the application or corrupt memory. In some cases, it may lead to denial of service or unexpected behavior.
Ubuntu USN Ubuntu USN USN-7945-1 Libxslt vulnerability
History

Mon, 27 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
References

Tue, 14 Apr 2026 22:00:00 +0000

Type Values Removed Values Added
CPEs cpe:/o:redhat:enterprise_linux:10 cpe:/o:redhat:enterprise_linux:10.0
References

Tue, 14 Apr 2026 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Redhat hummingbird
CPEs cpe:/a:redhat:hummingbird:1
Vendors & Products Redhat hummingbird

Mon, 23 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
References

Wed, 21 Jan 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:H'}

 cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Tue, 04 Nov 2025 22:30:00 +0000

Type Values Removed Values Added
References

Mon, 03 Nov 2025 20:30:00 +0000

Type Values Removed Values Added
References

Mon, 03 Nov 2025 19:30:00 +0000

Type Values Removed Values Added
References

Wed, 27 Aug 2025 18:15:00 +0000

Type Values Removed Values Added
First Time appeared Redhat openshift Container Platform
Xmlsoft
Xmlsoft libxslt
CPEs cpe:2.3:a:redhat:openshift_container_platform:4.0:*:*:*:*:*:*:*
cpe:2.3:a:xmlsoft:libxslt:-:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:10.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*
Vendors & Products Redhat openshift Container Platform
Xmlsoft
Xmlsoft libxslt

Wed, 16 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00015}

 epss

{'score': 0.0002}

Fri, 11 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00015}

Thu, 10 Jul 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 10 Jul 2025 14:15:00 +0000

Type Values Removed Values Added
Description No description is available for this CVE. A flaw was found in the libxslt library. The same memory field, psvi, is used for both stylesheet and input data, which can lead to type confusion during XML transformations. This vulnerability allows an attacker to crash the application or corrupt memory. In some cases, it may lead to denial of service or unexpected behavior.
Title libxslt: Type confusion in xmlNode.psvi between stylesheet and source nodes Libxslt: type confusion in xmlnode.psvi between stylesheet and source nodes
First Time appeared Redhat
Redhat enterprise Linux
Redhat openshift
CPEs cpe:/a:redhat:openshift:4
cpe:/o:redhat:enterprise_linux:10
cpe:/o:redhat:enterprise_linux:6
cpe:/o:redhat:enterprise_linux:7
cpe:/o:redhat:enterprise_linux:8
cpe:/o:redhat:enterprise_linux:9
Vendors & Products Redhat
Redhat enterprise Linux
Redhat openshift
References

Thu, 10 Jul 2025 12:30:00 +0000

Type Values Removed Values Added
Description No description is available for this CVE.
Title libxslt: Type confusion in xmlNode.psvi between stylesheet and source nodes
Weaknesses CWE-843
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:H'}

threat_severity

Important

Subscriptions

Redhat Enterprise Linux Hummingbird Openshift Openshift Container Platform
Xmlsoft Libxslt
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-04-27T20:02:45.797Z

Reserved: 2025-07-10T08:43:48.349Z

Link: CVE-2025-7424

cve-icon Vulnrichment

Updated: 2025-11-04T21:14:54.140Z

cve-icon NVD

Status : Modified

Published: 2025-07-10T14:15:27.573

Modified: 2026-04-27T21:16:25.697

Link: CVE-2025-7424

cve-icon Redhat

Severity : Important

Publid Date: 2025-07-10T00:00:00Z

Links: CVE-2025-7424 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T16:30:06Z

Weaknesses