{ "threat_severity" : "Moderate", "public_date" : "2025-04-17T00:00:00Z", "bugzilla" : { "description" : "libxml2: Out-of-bounds Read in xmlSchemaIDCFillNodeTables", "id" : "2360768", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2360768" }, "cvss3" : { "cvss3_base_score" : "7.5", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status" : "verified" }, "cwe" : "CWE-125", "details" : [ "In libxml2 before 2.13.8 and 2.14.x before 2.14.2, xmlSchemaIDCFillNodeTables in xmlschemas.c has a heap-based buffer under-read. To exploit this, a crafted XML document must be validated against an XML schema with certain identity constraints, or a crafted XML schema must be used.", "A flaw was found in the libxml2 library. A heap-based underflow can be triggered when a crafted XML document is validated against an XML schema with certain identity constraints or when a crafted XML schema is used, causing a crash to the application linked to the library and resulting in a denial of service." ], "statement" : "To exploit this issue, an attacker needs to be able to process a specially crafted XML file with the application linked to the libxml2 library. Additionally, the only security impact of this vulnerability is a denial of service.", "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 10", "release_date" : "2025-08-07T00:00:00Z", "advisory" : "RHSA-2025:13429", "cpe" : "cpe:/o:redhat:enterprise_linux:10.0", "package" : "libxml2-0:2.12.5-9.el10_0" }, { "product_name" : "Red Hat Enterprise Linux 7 Extended Lifecycle Support", "release_date" : "2025-08-13T00:00:00Z", "advisory" : "RHSA-2025:13789", "cpe" : "cpe:/o:redhat:rhel_els:7", "package" : "libxml2-0:2.9.1-6.el7_9.13" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2025-08-06T00:00:00Z", "advisory" : "RHSA-2025:13203", "cpe" : "cpe:/a:redhat:enterprise_linux:8", "package" : "libxml2-0:2.9.7-21.el8_10.3" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2025-08-06T00:00:00Z", "advisory" : "RHSA-2025:13203", "cpe" : "cpe:/o:redhat:enterprise_linux:8", "package" : "libxml2-0:2.9.7-21.el8_10.3" }, { "product_name" : "Red Hat Enterprise Linux 8.2 Advanced Update Support", "release_date" : "2025-08-12T00:00:00Z", "advisory" : "RHSA-2025:13689", "cpe" : "cpe:/a:redhat:rhel_aus:8.2", "package" : "libxml2-0:2.9.7-9.el8_2.5" }, { "product_name" : "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support", "release_date" : "2025-08-13T00:00:00Z", "advisory" : "RHSA-2025:13788", "cpe" : "cpe:/a:redhat:rhel_aus:8.4", "package" : "libxml2-0:2.9.7-9.el8_4.8" }, { "product_name" : "Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On", "release_date" : "2025-08-13T00:00:00Z", "advisory" : "RHSA-2025:13788", "cpe" : "cpe:/a:redhat:rhel_eus_long_life:8.4", "package" : "libxml2-0:2.9.7-9.el8_4.8" }, { "product_name" : "Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support", "release_date" : "2025-08-12T00:00:00Z", "advisory" : "RHSA-2025:13688", "cpe" : "cpe:/a:redhat:rhel_aus:8.6", "package" : "libxml2-0:2.9.7-13.el8_6.12" }, { "product_name" : "Red Hat Enterprise Linux 8.6 Telecommunications Update Service", "release_date" : "2025-08-12T00:00:00Z", "advisory" : "RHSA-2025:13688", "cpe" : "cpe:/a:redhat:rhel_tus:8.6", "package" : "libxml2-0:2.9.7-13.el8_6.12" }, { "product_name" : "Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions", "release_date" : "2025-08-12T00:00:00Z", "advisory" : "RHSA-2025:13688", "cpe" : "cpe:/a:redhat:rhel_e4s:8.6", "package" : "libxml2-0:2.9.7-13.el8_6.12" }, { "product_name" : "Red Hat Enterprise Linux 8.8 Telecommunications Update Service", "release_date" : "2025-08-13T00:00:00Z", "advisory" : "RHSA-2025:13806", "cpe" : "cpe:/a:redhat:rhel_tus:8.8", "package" : "libxml2-0:2.9.7-16.el8_8.12" }, { "product_name" : "Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions", "release_date" : "2025-08-13T00:00:00Z", "advisory" : "RHSA-2025:13806", "cpe" : "cpe:/a:redhat:rhel_e4s:8.8", "package" : "libxml2-0:2.9.7-16.el8_8.12" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2025-08-07T00:00:00Z", "advisory" : "RHSA-2025:13428", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "libxml2-0:2.9.13-12.el9_6" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2025-08-07T00:00:00Z", "advisory" : "RHSA-2025:13428", "cpe" : "cpe:/o:redhat:enterprise_linux:9", "package" : "libxml2-0:2.9.13-12.el9_6" }, { "product_name" : "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions", "release_date" : "2025-08-12T00:00:00Z", "advisory" : "RHSA-2025:13684", "cpe" : "cpe:/a:redhat:rhel_e4s:9.0", "package" : "libxml2-0:2.9.13-1.el9_0.7" }, { "product_name" : "Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions", "release_date" : "2025-08-12T00:00:00Z", "advisory" : "RHSA-2025:13683", "cpe" : "cpe:/a:redhat:rhel_e4s:9.2", "package" : "libxml2-0:2.9.13-3.el9_2.9" }, { "product_name" : "Red Hat Enterprise Linux 9.4 Extended Update Support", "release_date" : "2025-08-12T00:00:00Z", "advisory" : "RHSA-2025:13677", "cpe" : "cpe:/a:redhat:rhel_eus:9.4", "package" : "libxml2-0:2.9.13-12.el9_4" }, { "product_name" : "Red Hat JBoss Core Services 2.4.62.SP1", "release_date" : "2025-08-14T00:00:00Z", "advisory" : "RHSA-2025:13681", "cpe" : "cpe:/a:redhat:jboss_core_services:1", "package" : "libxml2" }, { "product_name" : "Red Hat OpenShift Container Platform 4.12", "release_date" : "2025-09-11T00:00:00Z", "advisory" : "RHSA-2025:15308", "cpe" : "cpe:/a:redhat:openshift:4.12::el8", "package" : "rhcos-412.86.202509030110-0" }, { "product_name" : "Red Hat OpenShift Container Platform 4.13", "release_date" : "2025-09-18T00:00:00Z", "advisory" : "RHSA-2025:15672", "cpe" : "cpe:/a:redhat:openshift:4.13::el9", "package" : "rhcos-413.92.202509030117-0" }, { "product_name" : "Red Hat OpenShift Container Platform 4.14", "release_date" : "2025-09-04T00:00:00Z", "advisory" : "RHSA-2025:14853", "cpe" : "cpe:/a:redhat:openshift:4.14::el9", "package" : "rhcos-414.92.202508270040-0" }, { "product_name" : "Red Hat OpenShift Container Platform 4.15", "release_date" : "2025-09-25T00:00:00Z", "advisory" : "RHSA-2025:16159", "cpe" : "cpe:/a:redhat:openshift:4.15::el9", "package" : "rhcos-415.92.202509170209-0" }, { "product_name" : "Red Hat OpenShift Container Platform 4.16", "release_date" : "2025-09-04T00:00:00Z", "advisory" : "RHSA-2025:14858", "cpe" : "cpe:/a:redhat:openshift:4.16::el9", "package" : "rhcos-416.94.202508261955-0" }, { "product_name" : "Red Hat OpenShift Container Platform 4.17", "release_date" : "2025-08-27T00:00:00Z", "advisory" : "RHSA-2025:14059", "cpe" : "cpe:/a:redhat:openshift:4.17::el9", "package" : "rhcos-417.94.202508141510-0" }, { "product_name" : "Red Hat OpenShift Container Platform 4.18", "release_date" : "2025-09-04T00:00:00Z", "advisory" : "RHSA-2025:14818", "cpe" : "cpe:/a:redhat:openshift:4.18::el9", "package" : "rhcos-418.94.202508261658-0" }, { "product_name" : "Red Hat OpenShift Container Platform 4.19", "release_date" : "2025-09-02T00:00:00Z", "advisory" : "RHSA-2025:14819", "cpe" : "cpe:/a:redhat:openshift:4.19::el9", "package" : "rhcos-4.19.9.6.202508271124-0" }, { "product_name" : "Red Hat Ceph Storage 7", "release_date" : "2025-12-01T00:00:00Z", "advisory" : "RHSA-2025:22529", "cpe" : "cpe:/a:redhat:ceph_storage:7::el9", "package" : "rhceph/rhceph-7-rhel9:sha256:4d2f9dc5b2b33ee1c77bbfabcbbb9f4d94d343b04c4de2e4f8b3b81a1f0fd2fe" }, { "product_name" : "Red Hat Discovery 2", "release_date" : "2025-08-20T00:00:00Z", "advisory" : "RHSA-2025:14186", "cpe" : "cpe:/a:redhat:discovery:2::el9", "package" : "discovery/discovery-server-rhel9:sha256:6464f1f591001fd514a87e3c7347d2ce709b9c97edaad2d0d649ae69499049e9" }, { "product_name" : "Red Hat Insights proxy 1.5", "release_date" : "2025-08-26T00:00:00Z", "advisory" : "RHSA-2025:14644", "cpe" : "cpe:/a:redhat:insights_proxy:1.5::el9", "package" : "insights-proxy/insights-proxy-container-rhel9:sha256:3fa6c89778502bfb0b16ef8ff3c576467e8a21269afb2380c4ae176ee2fc7fec" }, { "product_name" : "Red Hat OpenShift distributed tracing 3.5.1", "release_date" : "2025-08-11T00:00:00Z", "advisory" : "RHSA-2025:13622", "cpe" : "cpe:/a:redhat:openshift_distributed_tracing:3.5::el8", "package" : "rhosdt/jaeger-agent-rhel8:sha256:2a359b16651cf20b9e37faabc6f57753744c59103979670260e263df2857da47" }, { "product_name" : "Red Hat OpenShift distributed tracing 3.5.1", "release_date" : "2025-08-11T00:00:00Z", "advisory" : "RHSA-2025:13622", "cpe" : "cpe:/a:redhat:openshift_distributed_tracing:3.5::el8", "package" : "rhosdt/jaeger-all-in-one-rhel8:sha256:02d88da5fdc965b3759b7c74667dc93a374dc379719456a2a9c0ef15ac36d656" }, { "product_name" : "Red Hat OpenShift distributed tracing 3.5.1", "release_date" : "2025-08-11T00:00:00Z", "advisory" : "RHSA-2025:13622", "cpe" : "cpe:/a:redhat:openshift_distributed_tracing:3.5::el8", "package" : "rhosdt/jaeger-collector-rhel8:sha256:260572b783d27d50a2dcdcac09a1fe15358c0fa5f85de93ce5fd8321cd81a0fa" }, { "product_name" : "Red Hat OpenShift distributed tracing 3.5.1", "release_date" : "2025-08-11T00:00:00Z", "advisory" : "RHSA-2025:13622", "cpe" : "cpe:/a:redhat:openshift_distributed_tracing:3.5::el8", "package" : "rhosdt/jaeger-es-index-cleaner-rhel8:sha256:783a10c95edcb5c5cb8394b796f27dbfbb5ac6e1ee3baaa27d6c43f411ad6045" }, { "product_name" : "Red Hat OpenShift distributed tracing 3.5.1", "release_date" : "2025-08-11T00:00:00Z", "advisory" : "RHSA-2025:13622", "cpe" : "cpe:/a:redhat:openshift_distributed_tracing:3.5::el8", "package" : "rhosdt/jaeger-es-rollover-rhel8:sha256:39b2d56b8f0eb3b539697fc387ae84230182c7e8cf5c184b8ee6c02e29386120" }, { "product_name" : "Red Hat OpenShift distributed tracing 3.5.1", "release_date" : "2025-08-11T00:00:00Z", "advisory" : "RHSA-2025:13622", "cpe" : "cpe:/a:redhat:openshift_distributed_tracing:3.5::el8", "package" : "rhosdt/jaeger-ingester-rhel8:sha256:0932824cfd76c0e3d80f6e5b81312405b4a6a670d715144fc4d08bdb3a3cf962" }, { "product_name" : "Red Hat OpenShift distributed tracing 3.5.1", "release_date" : "2025-08-11T00:00:00Z", "advisory" : "RHSA-2025:13622", "cpe" : "cpe:/a:redhat:openshift_distributed_tracing:3.5::el8", "package" : "rhosdt/jaeger-operator-bundle:sha256:264613b2add0f32e5f537ee7cf9ba8019e5e9a347fdf20bc3de8d1678157ba66" }, { "product_name" : "Red Hat OpenShift distributed tracing 3.5.1", "release_date" : "2025-08-11T00:00:00Z", "advisory" : "RHSA-2025:13622", "cpe" : "cpe:/a:redhat:openshift_distributed_tracing:3.5::el8", "package" : "rhosdt/jaeger-query-rhel8:sha256:2509c7cc0bdf6d001442d2e83e21925b09a59c4b05eef81e98af93327f6f6c6d" }, { "product_name" : "Red Hat OpenShift distributed tracing 3.5.1", "release_date" : "2025-08-11T00:00:00Z", "advisory" : "RHSA-2025:13622", "cpe" : "cpe:/a:redhat:openshift_distributed_tracing:3.5::el8", "package" : "rhosdt/jaeger-rhel8-operator:sha256:c6f9ee5f306766c0502419fe691e9e14aad8b0d1a4ced7ff9b1738c272fba80b" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Out of support scope", "package_name" : "libxml2", "cpe" : "cpe:/o:redhat:enterprise_linux:6" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2025-32415\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-32415\nhttps://gitlab.gnome.org/GNOME/libxml2/-/issues/890" ], "name" : "CVE-2025-32415", "mitigation" : { "value" : "Do not process untrusted files with the libxml2 library.", "lang" : "en:us" }, "csaw" : false }