{
  "threat_severity" : "Important",
  "public_date" : "2025-06-11T00:00:00Z",
  "bugzilla" : {
    "description" : "libxml: Type confusion leads to Denial of service (DoS)",
    "id" : "2372385",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2372385"
  },
  "cvss3" : {
    "cvss3_base_score" : "9.1",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-125",
  "details" : [ "A vulnerability was found in libxml2. Processing certain sch:name elements from the input XML file can trigger a memory corruption issue. This flaw allows an attacker to craft a malicious XML input file that can lead libxml to crash, resulting in a denial of service or other possible undefined behavior due to sensitive data being corrupted in memory.", "A vulnerability was found in libxml2. Processing certain sch:name elements from the input XML file can trigger a memory corruption issue. This flaw allows an attacker to craft a malicious XML input file that can lead libxml to crash, resulting in a denial of service or other possible undefined behavior due to sensitive data being corrupted in memory." ],
  "statement" : "The Red Hat Product Security team has evaluated this vulnerability as having an Important security impact, as libxml can be used to parse XML from the network depending on how the program consumes it using the library. Additionally, although the initial report shows a crash due to invalid memory access (A:H), other undefined issues that can present data integrity due to the application overwriting sensitive data are not discarded (I:H).",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "release_date" : "2025-07-08T00:00:00Z",
    "advisory" : "RHSA-2025:10630",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10.0",
    "package" : "libxml2-0:2.12.5-7.el10_0"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7 Extended Lifecycle Support",
    "release_date" : "2025-07-30T00:00:00Z",
    "advisory" : "RHSA-2025:12240",
    "cpe" : "cpe:/o:redhat:rhel_els:7",
    "package" : "libxml2-0:2.9.1-6.el7_9.10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2025-07-09T00:00:00Z",
    "advisory" : "RHSA-2025:10698",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8",
    "package" : "libxml2-0:2.9.7-21.el8_10.1"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2025-07-09T00:00:00Z",
    "advisory" : "RHSA-2025:10698",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8",
    "package" : "libxml2-0:2.9.7-21.el8_10.1"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.2 Advanced Update Support",
    "release_date" : "2025-07-30T00:00:00Z",
    "advisory" : "RHSA-2025:12237",
    "cpe" : "cpe:/a:redhat:rhel_aus:8.2",
    "package" : "libxml2-0:2.9.7-9.el8_2.3"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support",
    "release_date" : "2025-07-30T00:00:00Z",
    "advisory" : "RHSA-2025:12241",
    "cpe" : "cpe:/a:redhat:rhel_aus:8.4",
    "package" : "libxml2-0:2.9.7-9.el8_4.6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On",
    "release_date" : "2025-07-30T00:00:00Z",
    "advisory" : "RHSA-2025:12241",
    "cpe" : "cpe:/a:redhat:rhel_eus_long_life:8.4",
    "package" : "libxml2-0:2.9.7-9.el8_4.6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support",
    "release_date" : "2025-07-29T00:00:00Z",
    "advisory" : "RHSA-2025:12098",
    "cpe" : "cpe:/a:redhat:rhel_aus:8.6",
    "package" : "libxml2-0:2.9.7-13.el8_6.10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.6 Telecommunications Update Service",
    "release_date" : "2025-07-29T00:00:00Z",
    "advisory" : "RHSA-2025:12098",
    "cpe" : "cpe:/a:redhat:rhel_tus:8.6",
    "package" : "libxml2-0:2.9.7-13.el8_6.10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions",
    "release_date" : "2025-07-29T00:00:00Z",
    "advisory" : "RHSA-2025:12098",
    "cpe" : "cpe:/a:redhat:rhel_e4s:8.6",
    "package" : "libxml2-0:2.9.7-13.el8_6.10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.8 Telecommunications Update Service",
    "release_date" : "2025-07-30T00:00:00Z",
    "advisory" : "RHSA-2025:12239",
    "cpe" : "cpe:/a:redhat:rhel_tus:8.8",
    "package" : "libxml2-0:2.9.7-16.el8_8.9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions",
    "release_date" : "2025-07-30T00:00:00Z",
    "advisory" : "RHSA-2025:12239",
    "cpe" : "cpe:/a:redhat:rhel_e4s:8.8",
    "package" : "libxml2-0:2.9.7-16.el8_8.9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2025-07-09T00:00:00Z",
    "advisory" : "RHSA-2025:10699",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "libxml2-0:2.9.13-10.el9_6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2025-07-09T00:00:00Z",
    "advisory" : "RHSA-2025:10699",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "libxml2-0:2.9.13-10.el9_6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions",
    "release_date" : "2025-07-29T00:00:00Z",
    "advisory" : "RHSA-2025:12099",
    "cpe" : "cpe:/a:redhat:rhel_e4s:9.0",
    "package" : "libxml2-0:2.9.13-1.el9_0.5"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions",
    "release_date" : "2025-07-29T00:00:00Z",
    "advisory" : "RHSA-2025:12199",
    "cpe" : "cpe:/a:redhat:rhel_e4s:9.2",
    "package" : "libxml2-0:2.9.13-3.el9_2.7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.4 Extended Update Support",
    "release_date" : "2025-07-23T00:00:00Z",
    "advisory" : "RHSA-2025:11580",
    "cpe" : "cpe:/a:redhat:rhel_eus:9.4",
    "package" : "libxml2-0:2.9.13-10.el9_4"
  }, {
    "product_name" : "Red Hat JBoss Core Services 2.4.62.SP2",
    "release_date" : "2025-10-27T00:00:00Z",
    "advisory" : "RHSA-2025:19020",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1",
    "package" : "libxml2"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4.12",
    "release_date" : "2025-11-13T00:00:00Z",
    "advisory" : "RHSA-2025:19894",
    "cpe" : "cpe:/a:redhat:openshift:4.12::el8",
    "package" : "rhcos-412.86.202510291903-0"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4.13",
    "release_date" : "2025-10-23T00:00:00Z",
    "advisory" : "RHSA-2025:18240",
    "cpe" : "cpe:/a:redhat:openshift:4.13::el9",
    "package" : "rhcos-413.92.202510150118-0"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4.14",
    "release_date" : "2025-10-30T00:00:00Z",
    "advisory" : "RHSA-2025:19041",
    "cpe" : "cpe:/a:redhat:openshift:4.14::el9",
    "package" : "rhcos-414.92.202510211419-0"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4.17",
    "release_date" : "2025-10-22T00:00:00Z",
    "advisory" : "RHSA-2025:18218",
    "cpe" : "cpe:/a:redhat:openshift:4.17::el9",
    "package" : "rhcos-417.94.202510112152-0"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4.18",
    "release_date" : "2025-10-29T00:00:00Z",
    "advisory" : "RHSA-2025:19046",
    "cpe" : "cpe:/a:redhat:openshift:4.18::el9",
    "package" : "rhcos-418.94.202510230424-0"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4.19",
    "release_date" : "2025-10-22T00:00:00Z",
    "advisory" : "RHSA-2025:18217",
    "cpe" : "cpe:/a:redhat:openshift:4.19::el9",
    "package" : "rhcos-4.19.9.6.202510140714-0"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4.20",
    "release_date" : "2025-10-21T00:00:00Z",
    "advisory" : "RHSA-2025:15397",
    "cpe" : "cpe:/a:redhat:openshift:4.20::el9",
    "package" : "rhcos-4.20.9.6.202509251656-0"
  }, {
    "product_name" : "Red Hat Web Terminal 1.11 on RHEL 9",
    "release_date" : "2025-09-15T00:00:00Z",
    "advisory" : "RHSA-2025:15828",
    "cpe" : "cpe:/a:redhat:webterminal:1.11::el9",
    "package" : "web-terminal/web-terminal-rhel9-operator:1.11-19"
  }, {
    "product_name" : "Red Hat Web Terminal 1.11 on RHEL 9",
    "release_date" : "2025-09-15T00:00:00Z",
    "advisory" : "RHSA-2025:15828",
    "cpe" : "cpe:/a:redhat:webterminal:1.11::el9",
    "package" : "web-terminal/web-terminal-tooling-rhel9:1.11-8"
  }, {
    "product_name" : "Red Hat Web Terminal 1.12 on RHEL 9",
    "release_date" : "2025-09-15T00:00:00Z",
    "advisory" : "RHSA-2025:15827",
    "cpe" : "cpe:/a:redhat:webterminal:1.12::el9",
    "package" : "web-terminal/web-terminal-tooling-rhel9:1.12-4"
  }, {
    "product_name" : "RHOSS-1.36-RHEL-8",
    "release_date" : "2026-01-22T00:00:00Z",
    "advisory" : "RHSA-2026:0934",
    "cpe" : "cpe:/a:redhat:openshift_serverless:1.36::el8",
    "package" : "openshift-serverless-1/logic-data-index-ephemeral-rhel8:1.36.0-11"
  }, {
    "product_name" : "RHOSS-1.36-RHEL-8",
    "release_date" : "2026-01-22T00:00:00Z",
    "advisory" : "RHSA-2026:0934",
    "cpe" : "cpe:/a:redhat:openshift_serverless:1.36::el8",
    "package" : "openshift-serverless-1/logic-data-index-postgresql-rhel8:1.36.0-11"
  }, {
    "product_name" : "RHOSS-1.36-RHEL-8",
    "release_date" : "2026-01-22T00:00:00Z",
    "advisory" : "RHSA-2026:0934",
    "cpe" : "cpe:/a:redhat:openshift_serverless:1.36::el8",
    "package" : "openshift-serverless-1/logic-db-migrator-tool-rhel8:1.36.0-11"
  }, {
    "product_name" : "RHOSS-1.36-RHEL-8",
    "release_date" : "2026-01-22T00:00:00Z",
    "advisory" : "RHSA-2026:0934",
    "cpe" : "cpe:/a:redhat:openshift_serverless:1.36::el8",
    "package" : "openshift-serverless-1/logic-jobs-service-ephemeral-rhel8:1.36.0-10"
  }, {
    "product_name" : "RHOSS-1.36-RHEL-8",
    "release_date" : "2026-01-22T00:00:00Z",
    "advisory" : "RHSA-2026:0934",
    "cpe" : "cpe:/a:redhat:openshift_serverless:1.36::el8",
    "package" : "openshift-serverless-1/logic-jobs-service-postgresql-rhel8:1.36.0-10"
  }, {
    "product_name" : "RHOSS-1.36-RHEL-8",
    "release_date" : "2026-01-22T00:00:00Z",
    "advisory" : "RHSA-2026:0934",
    "cpe" : "cpe:/a:redhat:openshift_serverless:1.36::el8",
    "package" : "openshift-serverless-1/logic-kn-workflow-cli-artifacts-rhel8:1.36.0-4"
  }, {
    "product_name" : "RHOSS-1.36-RHEL-8",
    "release_date" : "2026-01-22T00:00:00Z",
    "advisory" : "RHSA-2026:0934",
    "cpe" : "cpe:/a:redhat:openshift_serverless:1.36::el8",
    "package" : "openshift-serverless-1/logic-management-console-rhel8:1.36.0-9"
  }, {
    "product_name" : "RHOSS-1.36-RHEL-8",
    "release_date" : "2026-01-22T00:00:00Z",
    "advisory" : "RHSA-2026:0934",
    "cpe" : "cpe:/a:redhat:openshift_serverless:1.36::el8",
    "package" : "openshift-serverless-1/logic-operator-bundle:1.36.0-12"
  }, {
    "product_name" : "RHOSS-1.36-RHEL-8",
    "release_date" : "2026-01-22T00:00:00Z",
    "advisory" : "RHSA-2026:0934",
    "cpe" : "cpe:/a:redhat:openshift_serverless:1.36::el8",
    "package" : "openshift-serverless-1/logic-rhel8-operator:1.36.0-18"
  }, {
    "product_name" : "RHOSS-1.36-RHEL-8",
    "release_date" : "2026-01-22T00:00:00Z",
    "advisory" : "RHSA-2026:0934",
    "cpe" : "cpe:/a:redhat:openshift_serverless:1.36::el8",
    "package" : "openshift-serverless-1/logic-swf-builder-rhel8:1.36.0-11"
  }, {
    "product_name" : "RHOSS-1.36-RHEL-8",
    "release_date" : "2026-01-22T00:00:00Z",
    "advisory" : "RHSA-2026:0934",
    "cpe" : "cpe:/a:redhat:openshift_serverless:1.36::el8",
    "package" : "openshift-serverless-1/logic-swf-devmode-rhel8:1.36.0-7"
  }, {
    "product_name" : "cert-manager operator for Red Hat OpenShift 1.16",
    "release_date" : "2025-10-16T00:00:00Z",
    "advisory" : "RHSA-2025:18219",
    "cpe" : "cpe:/a:redhat:cert_manager:1.16::el9",
    "package" : "cert-manager/jetstack-cert-manager-rhel9:sha256:1abdfac084e7c86e7a93a19e5cf6b54db79b903bfb7474a42200f753b29eda4b"
  }, {
    "product_name" : "File Integrity Operator 1",
    "release_date" : "2025-11-21T00:00:00Z",
    "advisory" : "RHSA-2025:21913",
    "cpe" : "cpe:/a:redhat:openshift_file_integrity_operator:1::el9",
    "package" : "compliance/openshift-file-integrity-rhel8-operator:sha256:364d11af112a5b1d3f28c9ea8b7aac678e111b9c7fca0516d61036904f318605"
  }, {
    "product_name" : "Red Hat Discovery 2",
    "release_date" : "2025-08-06T00:00:00Z",
    "advisory" : "RHSA-2025:13267",
    "cpe" : "cpe:/a:redhat:discovery:2::el9",
    "package" : "discovery/discovery-server-rhel9:sha256:ad07f55ee75fb20310c88f154a04665bd8465d138d66c665c300f61447858344"
  }, {
    "product_name" : "Red Hat Insights proxy 1.5",
    "release_date" : "2025-08-07T00:00:00Z",
    "advisory" : "RHSA-2025:13335",
    "cpe" : "cpe:/a:redhat:insights_proxy:1.5::el9",
    "package" : "insights-proxy/insights-proxy-container-rhel9:sha256:c26d589f12647890b67aaa986f54d3f7c6f7f2563fb5a73f38d559e6138739d7"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Out of support scope",
    "package_name" : "libxml2",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2025-49796\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-49796\nhttps://gitlab.gnome.org/GNOME/libxml2/-/issues/933" ],
  "name" : "CVE-2025-49796",
  "mitigation" : {
    "value" : "There's no available mitigation other than to avoid processing untrusted XML documents if the user is unable/unwilling to update the library.",
    "lang" : "en:us"
  },
  "csaw" : false
}