| Package | libxml2 |
|---|---|
| Version | 2.9.4+dfsg1-2.2+deb9u15 (stretch), 2.9.4+dfsg1-7+deb10u13 (buster) |
| Related CVEs | CVE-2025-9714 |
- CVE-2025-9714
-
It was discovered that recursion evaluation in XPath evaluation is uncontrolled and therefore allows a local attacker to cause a stack overflow via crafted expressions.
- CVE-2025-7425
-
Sergei Glazunov discovered a heap-use-after-free in
xmlFreeID()caused byatypecorruption. While the vulnerability was reported against libxslt, the XSLT 1.0 processing library, it is now mitigated in this libxml2 version.
For Debian 10 buster, these problems have been fixed in version 2.9.4+dfsg1-7+deb10u13.
For Debian 9 stretch, these problems have been fixed in version 2.9.4+dfsg1-2.2+deb9u15.
We recommend that you upgrade your libxml2 packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.