rpm package
suse/python-libxml2-python&distro=SUSE Linux Enterprise Server 15 SP3-LTSS
pkg:rpm/suse/python-libxml2-python&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP3-LTSS
Vulnerabilities (15)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-7425 | Hig | 7.8 | < 2.9.7-150000.3.85.1 | 2.9.7-150000.3.85.1 | Jul 10, 2025 | A flaw was found in libxslt where the attribute type, atype, flags are modified in a way that corrupts internal memory management. When XSLT functions, such as the key() process, result in tree fragments, this corruption prevents the proper cleanup of ID attributes. As a result, | |
| CVE-2025-6170 | Low | 2.5 | < 2.9.7-150000.3.82.1 | 2.9.7-150000.3.82.1 | Jun 16, 2025 | A flaw was found in the interactive shell of the xmllint command-line tool, used for parsing XML files. When a user inputs an overly long command, the program does not check the input size properly, which can cause it to crash. This issue might allow attackers to run harmful code | |
| CVE-2025-49796 | Cri | 9.1 | < 2.9.7-150000.3.82.1 | 2.9.7-150000.3.82.1 | Jun 16, 2025 | A vulnerability was found in libxml2. Processing certain sch:name elements from the input XML file can trigger a memory corruption issue. This flaw allows an attacker to craft a malicious XML input file that can lead libxml to crash, resulting in a denial of service or other poss | |
| CVE-2025-49794 | Cri | 9.1 | < 2.9.7-150000.3.82.1 | 2.9.7-150000.3.82.1 | Jun 16, 2025 | A use-after-free vulnerability was found in libxml2. This issue occurs when parsing XPath elements under certain circumstances when the XML schematron has the <sch:name path="..."/> schema elements. This flaw allows a malicious actor to craft a malicious XML document used as inpu | |
| CVE-2025-6021 | Hig | 7.5 | < 2.9.7-150000.3.82.1 | 2.9.7-150000.3.82.1 | Jun 12, 2025 | A flaw was found in libxml2's xmlBuildQName function, where integer overflows in buffer size calculations can lead to a stack-based buffer overflow. This issue can result in memory corruption or a denial of service when processing crafted input. | |
| CVE-2025-27113 | — | < 2.9.7-150000.3.76.1 | 2.9.7-150000.3.76.1 | Feb 18, 2025 | libxml2 before 2.12.10 and 2.13.x before 2.13.6 has a NULL pointer dereference in xmlPatMatch in pattern.c. | ||
| CVE-2025-24928 | — | < 2.9.7-150000.3.76.1 | 2.9.7-150000.3.76.1 | Feb 18, 2025 | libxml2 before 2.12.10 and 2.13.x before 2.13.6 has a stack-based buffer overflow in xmlSnprintfElements in valid.c. To exploit this, DTD validation must occur for an untrusted document or untrusted DTD. NOTE: this is similar to CVE-2017-9047. | ||
| CVE-2024-56171 | — | < 2.9.7-150000.3.76.1 | 2.9.7-150000.3.76.1 | Feb 18, 2025 | libxml2 before 2.12.10 and 2.13.x before 2.13.6 has a use-after-free in xmlSchemaIDCFillNodeTables and xmlSchemaBubbleIDCNodeTables in xmlschemas.c. To exploit this, a crafted XML document must be validated against an XML schema with certain identity constraints, or a crafted XML | ||
| CVE-2022-49043 | — | < 2.9.7-150000.3.73.1 | 2.9.7-150000.3.73.1 | Jan 26, 2025 | xmlXIncludeAddNode in xinclude.c in libxml2 before 2.11.0 has a use-after-free. | ||
| CVE-2024-25062 | — | < 2.9.7-150000.3.66.1 | 2.9.7-150000.3.66.1 | Feb 4, 2024 | An issue was discovered in libxml2 before 2.11.7 and 2.12.x before 2.12.5. When using the XML Reader interface with DTD validation and XInclude expansion enabled, processing crafted XML documents can lead to an xmlValidatePopElement use-after-free. | ||
| CVE-2023-39615 | — | < 2.9.7-150000.3.60.1 | 2.9.7-150000.3.60.1 | Aug 29, 2023 | Xmlsoft Libxml2 v2.11.0 was discovered to contain an out-of-bounds read via the xmlSAX2StartElement() function at /libxml2/SAX2.c. This vulnerability allows attackers to cause a Denial of Service (DoS) via supplying a crafted XML file. NOTE: the vendor's position is that the prod | ||
| CVE-2023-29469 | — | < 2.9.7-150000.3.57.1 | 2.9.7-150000.3.57.1 | Apr 24, 2023 | An issue was discovered in libxml2 before 2.10.4. When hashing empty dict strings in a crafted XML document, xmlDictComputeFastKey in dict.c can produce non-deterministic values, leading to various logic and memory errors, such as a double free. This behavior occurs because there | ||
| CVE-2023-28484 | — | < 2.9.7-150000.3.57.1 | 2.9.7-150000.3.57.1 | Apr 24, 2023 | In libxml2 before 2.10.4, parsing of certain invalid XSD schemas can lead to a NULL pointer dereference and subsequently a segfault. This occurs in xmlSchemaFixupComplexType in xmlschemas.c. | ||
| CVE-2022-29824 | — | < 2.9.7-150000.3.57.1 | 2.9.7-150000.3.57.1 | May 3, 2022 | In libxml2 before 2.9.14, several buffer handling functions in buf.c (xmlBuf*) and tree.c (xmlBuffer*) don't check for integer overflows. This can result in out-of-bounds memory writes. Exploitation requires a victim to open a crafted, multi-gigabyte XML file. Other software usin | ||
| CVE-2021-3541 | — | < 2.9.7-150000.3.57.1 | 2.9.7-150000.3.57.1 | Jul 9, 2021 | A flaw was found in libxml2. Exponential entity expansion attack its possible bypassing all existing protection mechanisms and leading to denial of service. |
- affected < 2.9.7-150000.3.85.1fixed 2.9.7-150000.3.85.1
A flaw was found in libxslt where the attribute type, atype, flags are modified in a way that corrupts internal memory management. When XSLT functions, such as the key() process, result in tree fragments, this corruption prevents the proper cleanup of ID attributes. As a result,
- affected < 2.9.7-150000.3.82.1fixed 2.9.7-150000.3.82.1
A flaw was found in the interactive shell of the xmllint command-line tool, used for parsing XML files. When a user inputs an overly long command, the program does not check the input size properly, which can cause it to crash. This issue might allow attackers to run harmful code
- affected < 2.9.7-150000.3.82.1fixed 2.9.7-150000.3.82.1
A vulnerability was found in libxml2. Processing certain sch:name elements from the input XML file can trigger a memory corruption issue. This flaw allows an attacker to craft a malicious XML input file that can lead libxml to crash, resulting in a denial of service or other poss
- affected < 2.9.7-150000.3.82.1fixed 2.9.7-150000.3.82.1
A use-after-free vulnerability was found in libxml2. This issue occurs when parsing XPath elements under certain circumstances when the XML schematron has the <sch:name path="..."/> schema elements. This flaw allows a malicious actor to craft a malicious XML document used as inpu
- affected < 2.9.7-150000.3.82.1fixed 2.9.7-150000.3.82.1
A flaw was found in libxml2's xmlBuildQName function, where integer overflows in buffer size calculations can lead to a stack-based buffer overflow. This issue can result in memory corruption or a denial of service when processing crafted input.
- CVE-2025-27113Feb 18, 2025affected < 2.9.7-150000.3.76.1fixed 2.9.7-150000.3.76.1
libxml2 before 2.12.10 and 2.13.x before 2.13.6 has a NULL pointer dereference in xmlPatMatch in pattern.c.
- CVE-2025-24928Feb 18, 2025affected < 2.9.7-150000.3.76.1fixed 2.9.7-150000.3.76.1
libxml2 before 2.12.10 and 2.13.x before 2.13.6 has a stack-based buffer overflow in xmlSnprintfElements in valid.c. To exploit this, DTD validation must occur for an untrusted document or untrusted DTD. NOTE: this is similar to CVE-2017-9047.
- CVE-2024-56171Feb 18, 2025affected < 2.9.7-150000.3.76.1fixed 2.9.7-150000.3.76.1
libxml2 before 2.12.10 and 2.13.x before 2.13.6 has a use-after-free in xmlSchemaIDCFillNodeTables and xmlSchemaBubbleIDCNodeTables in xmlschemas.c. To exploit this, a crafted XML document must be validated against an XML schema with certain identity constraints, or a crafted XML
- CVE-2022-49043Jan 26, 2025affected < 2.9.7-150000.3.73.1fixed 2.9.7-150000.3.73.1
xmlXIncludeAddNode in xinclude.c in libxml2 before 2.11.0 has a use-after-free.
- CVE-2024-25062Feb 4, 2024affected < 2.9.7-150000.3.66.1fixed 2.9.7-150000.3.66.1
An issue was discovered in libxml2 before 2.11.7 and 2.12.x before 2.12.5. When using the XML Reader interface with DTD validation and XInclude expansion enabled, processing crafted XML documents can lead to an xmlValidatePopElement use-after-free.
- CVE-2023-39615Aug 29, 2023affected < 2.9.7-150000.3.60.1fixed 2.9.7-150000.3.60.1
Xmlsoft Libxml2 v2.11.0 was discovered to contain an out-of-bounds read via the xmlSAX2StartElement() function at /libxml2/SAX2.c. This vulnerability allows attackers to cause a Denial of Service (DoS) via supplying a crafted XML file. NOTE: the vendor's position is that the prod
- CVE-2023-29469Apr 24, 2023affected < 2.9.7-150000.3.57.1fixed 2.9.7-150000.3.57.1
An issue was discovered in libxml2 before 2.10.4. When hashing empty dict strings in a crafted XML document, xmlDictComputeFastKey in dict.c can produce non-deterministic values, leading to various logic and memory errors, such as a double free. This behavior occurs because there
- CVE-2023-28484Apr 24, 2023affected < 2.9.7-150000.3.57.1fixed 2.9.7-150000.3.57.1
In libxml2 before 2.10.4, parsing of certain invalid XSD schemas can lead to a NULL pointer dereference and subsequently a segfault. This occurs in xmlSchemaFixupComplexType in xmlschemas.c.
- CVE-2022-29824May 3, 2022affected < 2.9.7-150000.3.57.1fixed 2.9.7-150000.3.57.1
In libxml2 before 2.9.14, several buffer handling functions in buf.c (xmlBuf*) and tree.c (xmlBuffer*) don't check for integer overflows. This can result in out-of-bounds memory writes. Exploitation requires a victim to open a crafted, multi-gigabyte XML file. Other software usin
- CVE-2021-3541Jul 9, 2021affected < 2.9.7-150000.3.57.1fixed 2.9.7-150000.3.57.1
A flaw was found in libxml2. Exponential entity expansion attack its possible bypassing all existing protection mechanisms and leading to denial of service.