#VU111222 Not qualyfied - CVE-2025-49795

Cybersecurity Help s.r.o.

Published: 2025-06-17 | Updated: 2025-07-11

Vulnerability identifier: #VU111222

Vulnerability risk: Medium

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2025-49795

CWE-ID: CWE-476

Exploitation vector: Network

Exploit availability: No

Description

This issue does not qualify for vulnerability definition as it is present in the dev code that was never released outside of the dev tree.

The original description:

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference error within the xmlSchematronFormatReport() function when processing incorrect XPath expressions in Schematron schema reports. A remote attacker can pass specially crafted data to the application and perform a denial of service (DoS) attack.

Mitigation
Install update from vendor's website.

External links
https://bugzilla.redhat.com/show_bug.cgi?id=2372379
https://gitlab.gnome.org/GNOME/libxml2/-/issues/932

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Meinberg LANTIME firmware update for third-party components

Multiple vulnerabilities in IBM WatsonX BI Assistant

Anolis OS update for libxml2

Multiple libxml2 vulnerabilities in F5 Traffix SDC

Multiple vulnerabilities in IBM Decision Optimization for Cloud Pak for Data

openEuler 24.03 LTS update for libxml2

openEuler 24.03 LTS SP1 update for libxml2

openEuler 24.03 LTS SP2 update for libxml2

Red Hat Enterprise Linux 10 update for libxml2