libxslt Heap Corruption via atype Flag Manipulation
CVE-2025-7425 Published on July 10, 2025

Libxslt: libxml2: heap use-after-free in libxslt caused by atype corruption in xmlattrptr
A flaw was found in libxslt where the attribute type, atype, flags are modified in a way that corrupts internal memory management. When XSLT functions, such as the key() process, result in tree fragments, this corruption prevents the proper cleanup of ID attributes. As a result, the system may access freed memory, causing crashes or enabling attackers to trigger heap corruption.

Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory NVD

Vulnerability Analysis

CVE-2025-7425 can be exploited with local system access, and does not require authorization privileges or user interaction. This vulnerability is consided to have a high level of attack complexity. Public availability of a proof of concept (POC) exploit exists for CVE-2025-7425. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality, a high impact on integrity and availability.

Attack Vector:

LOCAL

Attack Complexity:

HIGH

Privileges Required:

NONE

User Interaction:

NONE

Scope:

CHANGED

Confidentiality Impact:

NONE

Integrity Impact:

HIGH

Availability Impact:

HIGH

Timeline

2025-07-10

Reported to Red Hat.

2025-07-10

Made public.

Weakness Type

What is a Dangling pointer Vulnerability?

Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code.

CVE-2025-7425 has been classified to as a Dangling pointer vulnerability or weakness.

Products Associated with CVE-2025-7425

You can be notified by email with stack.watch whenever vulnerabilities like CVE-2025-7425 are published in these products:

Apple Safari

Apple iOS

Apple iPadOS

Apple macOS

Apple watchOS

Apple tvOS

Apple visionOS

Rhelels 7

Enterpriselinux 8

Rhelaus 8 2

Rhelaus 8 4

Rheleuslonglife 8 4

Rhele4s 8 6

Rhelaus 8 6

Rheltus 8 6

Rhele4s 8 8

Rheltus 8 8

Enterpriselinux 9

Rhele4s 9 0

Rhele4s 9 2

Rheleus 9 4

Openshift 4 12

Openshift 4 14

Openshift 4 15

Openshift 4 16

Openshift 4 17

Openshift 4 18

Openshift 4 19

Discovery 2

Insightsproxy 1 5

Openshiftdistributedtracing 3 5

Enterpriselinux 10

Enterpriselinux 6

Red Hat Rhel Els

Red Hat Enterprise Linux (RHEL)

Red Hat Rhel Aus

Red Hat Rhel Eus Long Life

Red Hat Rhel E4s

Red Hat Rhel Tus

Red Hat Rhel Eus

Red Hat Openshift

Red Hat Webterminal

Red Hat Discovery

Red Hat Insights Proxy

Red Hat Openshift Distributed Tracing

Red Hat Rhivos

Red Hat Cert Manager

Oracle

Red Hat Openshift Compliance Operator

Red Hat Openshift File Integrity Operator

Canonical Ubuntu Linux

Red Hat Openshift Serverless

Red Hat Hummingbird

Affected Versions

GNOME libxml2:

Before 2.15.2 is affected.

Red Hat Enterprise Linux 10:

Version 0:2.12.5-8.el10_0 and below * is unaffected.

Red Hat Enterprise Linux 10:

Version 0:1.1.39-8.el10_0 and below * is unaffected.

Red Hat Enterprise Linux 7 Extended Lifecycle Support:

Version 0:2.9.1-6.el7_9.12 and below * is unaffected.

Red Hat Enterprise Linux 8:

Version 0:2.9.7-21.el8_10.2 and below * is unaffected.

Red Hat Enterprise Linux 8:

Version 0:2.9.7-21.el8_10.2 and below * is unaffected.

Red Hat Enterprise Linux 8.2 Advanced Update Support:

Version 0:2.9.7-9.el8_2.4 and below * is unaffected.

Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support:

Version 0:2.9.7-9.el8_4.7 and below * is unaffected.

Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On:

Version 0:2.9.7-9.el8_4.7 and below * is unaffected.

Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support:

Version 0:2.9.7-13.el8_6.11 and below * is unaffected.

Red Hat Enterprise Linux 8.6 Telecommunications Update Service:

Version 0:2.9.7-13.el8_6.11 and below * is unaffected.

Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions:

Version 0:2.9.7-13.el8_6.11 and below * is unaffected.

Red Hat Enterprise Linux 8.8 Telecommunications Update Service:

Version 0:2.9.7-16.el8_8.10 and below * is unaffected.

Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions:

Version 0:2.9.7-16.el8_8.10 and below * is unaffected.

Red Hat Enterprise Linux 9:

Version 0:2.9.13-11.el9_6 and below * is unaffected.

Red Hat Enterprise Linux 9:

Version 0:2.9.13-11.el9_6 and below * is unaffected.

Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions:

Version 0:2.9.13-1.el9_0.6 and below * is unaffected.

Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions:

Version 0:2.9.13-3.el9_2.8 and below * is unaffected.

Red Hat Enterprise Linux 9.4 Extended Update Support:

Version 0:2.9.13-11.el9_4 and below * is unaffected.

Red Hat OpenShift Container Platform 4.12:

Version 412.86.202509030110-0 and below * is unaffected.

Red Hat OpenShift Container Platform 4.13:

Version 413.92.202509030117-0 and below * is unaffected.

Red Hat OpenShift Container Platform 4.14:

Version 414.92.202508270040-0 and below * is unaffected.

Red Hat OpenShift Container Platform 4.15:

Version 415.92.202508192014-0 and below * is unaffected.

Red Hat OpenShift Container Platform 4.16:

Version 416.94.202508261955-0 and below * is unaffected.

Red Hat OpenShift Container Platform 4.17:

Version 417.94.202508141510-0 and below * is unaffected.

Red Hat OpenShift Container Platform 4.18:

Version 418.94.202508261658-0 and below * is unaffected.

Red Hat OpenShift Container Platform 4.19:

Version 4.19.9.6.202508271124-0 and below * is unaffected.

Red Hat Web Terminal 1.11 on RHEL 9:

Version 1.11-19 and below * is unaffected.

Red Hat Web Terminal 1.11 on RHEL 9:

Version 1.11-8 and below * is unaffected.

Red Hat Web Terminal 1.12 on RHEL 9:

Version 1.12-4 and below * is unaffected.

Red Hat RHOSS-1.36-RHEL-8:

Version 1.36.0-11 and below * is unaffected.

Red Hat RHOSS-1.36-RHEL-8:

Version 1.36.0-11 and below * is unaffected.

Red Hat RHOSS-1.36-RHEL-8:

Version 1.36.0-11 and below * is unaffected.

Red Hat RHOSS-1.36-RHEL-8:

Version 1.36.0-10 and below * is unaffected.

Red Hat RHOSS-1.36-RHEL-8:

Version 1.36.0-10 and below * is unaffected.

Red Hat RHOSS-1.36-RHEL-8:

Version 1.36.0-4 and below * is unaffected.

Red Hat RHOSS-1.36-RHEL-8:

Version 1.36.0-9 and below * is unaffected.

Red Hat RHOSS-1.36-RHEL-8:

Version 1.36.0-18 and below * is unaffected.

Red Hat RHOSS-1.36-RHEL-8:

Version 1.36.0-11 and below * is unaffected.

Red Hat RHOSS-1.36-RHEL-8:

Version 1.36.0-7 and below * is unaffected.

cert-manager operator for Red Hat OpenShift 1.16:

Version v1.16.5-1760515757 and below * is unaffected.

Red Hat File Integrity Operator 1:

Version v1.3 and below * is unaffected.

Red Hat OpenShift Compliance Operator 1:

Version 1.8.0 and below * is unaffected.

Red Hat OpenShift Compliance Operator 1:

Version 1.8.0 and below * is unaffected.

Red Hat OpenShift Compliance Operator 1:

Version 1.8.0 and below * is unaffected.

Red Hat Discovery 2:

Version 2.0.1-1754478727 and below * is unaffected.

Red Hat Hardened Images:

Version 2.15.3-0.1.hum1 and below * is unaffected.

Red Hat Insights proxy 1.5:

Version 1.5.5-1754504343 and below * is unaffected.