libxslt Heap Corruption via atype Flag Manipulation
CVE-2025-7425 Published on July 10, 2025

Libxslt: heap use-after-free in libxslt caused by atype corruption in xmlattrptr
A flaw was found in libxslt where the attribute type, atype, flags are modified in a way that corrupts internal memory management. When XSLT functions, such as the key() process, result in tree fragments, this corruption prevents the proper cleanup of ID attributes. As a result, the system may access freed memory, causing crashes or enabling attackers to trigger heap corruption.

Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory NVD

Vulnerability Analysis

CVE-2025-7425 can be exploited with local system access, and does not require authorization privileges or user interaction. This vulnerability is consided to have a high level of attack complexity. Public availability of a proof of concept (POC) exploit exists for CVE-2025-7425. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality, a high impact on integrity and availability.

Attack Vector:

LOCAL

Attack Complexity:

HIGH

Privileges Required:

NONE

User Interaction:

NONE

Scope:

CHANGED

Confidentiality Impact:

NONE

Integrity Impact:

HIGH

Availability Impact:

HIGH

Timeline

2025-07-10

Reported to Red Hat.

2025-07-10

Made public.

Weakness Type

What is a Dangling pointer Vulnerability?

Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code.

CVE-2025-7425 has been classified to as a Dangling pointer vulnerability or weakness.

Products Associated with CVE-2025-7425

You can be notified by email with stack.watch whenever vulnerabilities like CVE-2025-7425 are published in these products:

Apple Safari

Apple iOS

Apple iPadOS

Apple macOS

Apple watchOS

Apple tvOS

Apple visionOS

Rhelels 7

Enterpriselinux 8

Rhelaus 8 2

Rhelaus 8 4

Rheleuslonglife 8 4

Rhele4s 8 6

Rhelaus 8 6

Rheltus 8 6

Rhele4s 8 8

Rheltus 8 8

Enterpriselinux 9

Rhele4s 9 0

Rhele4s 9 2

Rheleus 9 4

Openshift 4 12

Openshift 4 14

Openshift 4 15

Openshift 4 16

Openshift 4 17

Openshift 4 18

Openshift 4 19

Discovery 2

Insightsproxy 1 5

Openshiftdistributedtracing 3 5

Enterpriselinux 10

Enterpriselinux 6

Red Hat Rhel Els

Red Hat Enterprise Linux (RHEL)

Red Hat Rhel Aus

Red Hat Rhel Eus Long Life

Red Hat Rhel E4s

Red Hat Rhel Tus

Red Hat Rhel Eus

Red Hat Openshift

Red Hat Webterminal

Red Hat Discovery

Red Hat Insights Proxy

Red Hat Openshift Distributed Tracing

Red Hat Rhivos

Red Hat Cert Manager

Oracle

Red Hat Openshift Compliance Operator

Red Hat Openshift File Integrity Operator

Canonical Ubuntu Linux

Red Hat Openshift Serverless

Red Hat Hummingbird

Affected Versions

GNOME libxml2:

Before 2.15.2 is affected.

Red Hat Enterprise Linux 10:

Version 0:2.12.5-8.el10_0 and below * is unaffected.

Red Hat Enterprise Linux 10:

Version 0:1.1.39-8.el10_0 and below * is unaffected.

Red Hat Enterprise Linux 7 Extended Lifecycle Support:

Version 0:2.9.1-6.el7_9.12 and below * is unaffected.

Red Hat Enterprise Linux 8:

Version 0:2.9.7-21.el8_10.2 and below * is unaffected.

Red Hat Enterprise Linux 8:

Version 0:2.9.7-21.el8_10.2 and below * is unaffected.

Red Hat Enterprise Linux 8.2 Advanced Update Support:

Version 0:2.9.7-9.el8_2.4 and below * is unaffected.

Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support:

Version 0:2.9.7-9.el8_4.7 and below * is unaffected.

Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On:

Version 0:2.9.7-9.el8_4.7 and below * is unaffected.

Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support:

Version 0:2.9.7-13.el8_6.11 and below * is unaffected.

Red Hat Enterprise Linux 8.6 Telecommunications Update Service:

Version 0:2.9.7-13.el8_6.11 and below * is unaffected.

Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions:

Version 0:2.9.7-13.el8_6.11 and below * is unaffected.

Red Hat Enterprise Linux 8.8 Telecommunications Update Service:

Version 0:2.9.7-16.el8_8.10 and below * is unaffected.

Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions:

Version 0:2.9.7-16.el8_8.10 and below * is unaffected.

Red Hat Enterprise Linux 9:

Version 0:2.9.13-11.el9_6 and below * is unaffected.

Red Hat Enterprise Linux 9:

Version 0:2.9.13-11.el9_6 and below * is unaffected.

Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions:

Version 0:2.9.13-1.el9_0.6 and below * is unaffected.

Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions:

Version 0:2.9.13-3.el9_2.8 and below * is unaffected.

Red Hat Enterprise Linux 9.4 Extended Update Support:

Version 0:2.9.13-11.el9_4 and below * is unaffected.

Red Hat OpenShift Container Platform 4.12:

Version 412.86.202509030110-0 and below * is unaffected.

Red Hat OpenShift Container Platform 4.13:

Version 413.92.202509030117-0 and below * is unaffected.

Red Hat OpenShift Container Platform 4.14:

Version 414.92.202508270040-0 and below * is unaffected.

Red Hat OpenShift Container Platform 4.15:

Version 415.92.202508192014-0 and below * is unaffected.

Red Hat OpenShift Container Platform 4.16:

Version 416.94.202508261955-0 and below * is unaffected.

Red Hat OpenShift Container Platform 4.17:

Version 417.94.202508141510-0 and below * is unaffected.

Red Hat OpenShift Container Platform 4.18:

Version 418.94.202508261658-0 and below * is unaffected.

Red Hat OpenShift Container Platform 4.19:

Version 4.19.9.6.202508271124-0 and below * is unaffected.

Red Hat Web Terminal 1.11 on RHEL 9:

Version 1.11-19 and below * is unaffected.

Red Hat Web Terminal 1.11 on RHEL 9:

Version 1.11-8 and below * is unaffected.

Red Hat Web Terminal 1.12 on RHEL 9:

Version 1.12-4 and below * is unaffected.

Red Hat RHOSS-1.36-RHEL-8:

Version 1.36.0-11 and below * is unaffected.

Red Hat RHOSS-1.36-RHEL-8:

Version 1.36.0-11 and below * is unaffected.

Red Hat RHOSS-1.36-RHEL-8:

Version 1.36.0-11 and below * is unaffected.

Red Hat RHOSS-1.36-RHEL-8:

Version 1.36.0-10 and below * is unaffected.

Red Hat RHOSS-1.36-RHEL-8:

Version 1.36.0-10 and below * is unaffected.

Red Hat RHOSS-1.36-RHEL-8:

Version 1.36.0-4 and below * is unaffected.

Red Hat RHOSS-1.36-RHEL-8:

Version 1.36.0-9 and below * is unaffected.

Red Hat RHOSS-1.36-RHEL-8:

Version 1.36.0-18 and below * is unaffected.

Red Hat RHOSS-1.36-RHEL-8:

Version 1.36.0-11 and below * is unaffected.

Red Hat RHOSS-1.36-RHEL-8:

Version 1.36.0-7 and below * is unaffected.

cert-manager operator for Red Hat OpenShift 1.16:

Version sha256:1abdfac084e7c86e7a93a19e5cf6b54db79b903bfb7474a42200f753b29eda4b and below * is unaffected.

Red Hat File Integrity Operator 1:

Version sha256:364d11af112a5b1d3f28c9ea8b7aac678e111b9c7fca0516d61036904f318605 and below * is unaffected.

Red Hat OpenShift Compliance Operator 1:

Version sha256:4953a7ea865ff38a4fe19d5536d8062870c262733c640a2c7e4bd9e0bfb3d498 and below * is unaffected.

Red Hat OpenShift Compliance Operator 1:

Version sha256:06ad8599c4b0170264e40a45b0126504c87c37f0832265c7ff6541d2385b2049 and below * is unaffected.

Red Hat OpenShift Compliance Operator 1:

Version sha256:0903a7a5c857d96c84fd022e5785514eff201047e2fdd5d6699d79f17440ef02 and below * is unaffected.

Red Hat Discovery 2:

Version sha256:ad07f55ee75fb20310c88f154a04665bd8465d138d66c665c300f61447858344 and below * is unaffected.

Red Hat Insights proxy 1.5:

Version sha256:c26d589f12647890b67aaa986f54d3f7c6f7f2563fb5a73f38d559e6138739d7 and below * is unaffected.