In a recent report, the library libxml2, developed by the GNOME project and utilized for XML format content analysis, has disclosed the presence of 5 vulnerabilities. Of the five, two vulnerabilities have the potential to allow code execution by processing specially crafted external data. The Libxml2 library is widely used in open projects, serving as a dependency in over 800 packets from Ubuntu.
The first vulnerability (CVE-2025-6170) is related to buffer overwriting in the XML-files interactive shell. This overflow occurs when processing excessively long command arguments, lacking proper validation of input size before copying data with the Strcpy() function. Attackers could exploit this by influencing commands passed to the XMLINT utility. A patch to address this vulnerability is currently unavailable.
The second vulnerability (CVE-2025-6021) lies in the XMLBuildQNAME() function implementation, allowing data to be written beyond the buffer by miscalculating buffer size based on prefix and local name. Attackers could potentially substitute their data in the Prefix and NCNAME arguments transmitted to the function. A patch has been prepared to address this issue, included in libxml2 2.14.4. Various distributions are in the process of reviewing and implementing these corrections.
The remaining three vulnerabilities, including calling memory already released in the XMLSchematrongetnode function (CVE-2025-49794), grabbing a zero pointer in the XMLXPathCompedEval function (CVE-2025-49795), and incorrect types of types (Type Confusion) in the XMLschematronformatreport function (CVE-2025-49796), require immediate attention