libxml2 <2.13.8/2.14.2: heap under-read in xmlSchemaIDCFillNodeTables
CVE-2025-32415 Published on April 17, 2025

In libxml2 before 2.13.8 and 2.14.x before 2.14.2, xmlSchemaIDCFillNodeTables in xmlschemas.c has a heap-based buffer under-read. To exploit this, a crafted XML document must be validated against an XML schema with certain identity constraints, or a crafted XML schema must be used.

Github Repository NVD

Weakness Type

Improper Validation of Specified Quantity in Input

The product receives input that is expected to specify a quantity (such as size or length), but it does not validate or incorrectly validates that the quantity has the required properties.

Products Associated with CVE-2025-32415

You can be notified by email with stack.watch whenever vulnerabilities like CVE-2025-32415 are published in these products:

Xmlsoft Libxml2

Canonical Ubuntu Linux

Oracle

Red Hat Http Server

Affected Versions

xmlsoft libxml2:

Before 2.13.8 is affected.
Version 2.14.0 and below 2.14.2 is affected.

Vulnerable Packages

The following package name and versions may be associated with CVE-2025-32415

Package Manager	Vulnerable Package	Versions	Fixed In
rubygems	nokogiri	< 1.18.8	1.18.8

Exploit Probability

EPSS

0.07%

Percentile

21.58%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.