SB2025102129 - Multiple vulnerabilities in IBM Robotic Process Automation for Cloud Pak
Published: October 21, 2025
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 4 secuirty vulnerabilities.
1) Improper access control (CVE-ID: CVE-2025-6020)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to improper access restrictions within the pam_namespace module when handling user-controlled paths. A local user can use specially crafted symlinks and race conditions to execute arbitrary code as root.
2) Out-of-bounds read (CVE-ID: CVE-2025-32414)
The vulnerability allows a remote attacker to perform a denial of service attack.
The vulnerability exists due to an out-of-bounds read that occurs in the Python API (Python bindings) because of an incorrect return value. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.
3) Use-after-free (CVE-ID: CVE-2025-49794)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a use-after-free error within the xmlSchematronGetNode() function when processing XPath expressions in Schematron schema elements schematron.c. A remote attacker can pass specially crafted XML input to the application and perform a denial of service (DoS) attack.
4) Type Confusion (CVE-ID: CVE-2025-49796)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a type confusion error within the xmlSchematronFormatReport() function when processing sch:name elements in schematron.c. A remote attacker can pass specially crafted data to the application, trigger a type confusion error and crash the application.
Remediation
Install update from vendor's website.