libxml2 is a software library for parsing XML documents written in the C programming language that provides bindings to C++, Python, Ruby, Perl, PHP, and other languages. Originally developed for the GNOME project, this library has become ubiquitous in modern computing infrastructure, powering XML processing in web browsers, enterprise applications, operating systems, and embedded devices. Its widespread adoption makes these vulnerabilities particularly concerning for the broader technology ecosystem.
The Disclosed Vulnerabilities
The five newly disclosed CVEs range from memory corruption issues to buffer overflows. Three vulnerabilities (CVE-2025-49794, CVE-2025-49795, and CVE-2025-49796) specifically target the Schematron validation component, with researchers at Positive Technologies discovering heap use-after-free, null pointer dereference, and type confusion flaws, respectively. These issues could crash applications processing malformed XML documents.
Two additional vulnerabilities discovered by Ahmed Lekssays at Qatar Computing Research Institute pose even greater risks. CVE-2025-6021 involves an integer overflow in the xmlBuildQName function that could lead to buffer overflows, while CVE-2025-6170 represents a stack-based buffer overflow in xmllint's interactive shell that could potentially enable arbitrary code execution.
Libxml2 has faced security challenges before, with previous versions suffering from NULL dereference vulnerabilities, and recent issues like CVE-2024-25062 affecting major systems, including IBM AIX. The library's security track record underscores the ongoing challenges in maintaining secure XML processing capabilities.
Notably, the project maintainers are considering removing Schematron support entirely due to the concentration of vulnerabilities in this component. This decision reflects the difficult balance between feature completeness and security maintenance in widely-deployed open-source libraries.