CVE-2025-6170
Description
A flaw was found in the interactive shell of the xmllint command-line tool, used for parsing XML files. When a user inputs an overly long command, the program does not check the input size properly, which can cause it to crash. This issue might allow attackers to run harmful code in rare configurations without modern protections.
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Mitigation details
Description libxml2: Stack Buffer Overflow in xmllint Interactive Shell Command Handling Red Hat statement The Red Hat Product Security team has rated the severity of this vulnerability as Low, since it affects only the interactive shell mode of the xmllint tool and requires a user to manually run the tool and enter or receive specially crafted input. The exploitation requires local access and aโฆ
Description
libxml2: Stack Buffer Overflow in xmllint Interactive Shell Command Handling
Red Hat statement
The Red Hat Product Security team has rated the severity of this vulnerability as Low, since it affects only the interactive shell mode of the xmllint tool and requires a user to manually run the tool and enter or receive specially crafted input. The exploitation requires local access and a highly specific usage scenario that is uncommon in typical environments. While it can cause a crash, the impact is limited to availability, and exploitation is unlikely in real-world deployments.
CVSS v3: 2.5 (CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L)
Errata / fixed releases
| Product | Package | Advisory | Released |
|---|---|---|---|
| Red Hat Hardened Images | libxml2-main-2.15.2-0.3.hum1 | RHSA-2026:7519 | 2026-04-10T00:00:00Z |
Package state
| Product | Package | State |
|---|---|---|
| Red Hat Enterprise Linux 10 | libxml2 | Fix deferred |
| Red Hat Enterprise Linux 6 | libxml2 | Out of support scope |
| Red Hat Enterprise Linux 7 | libxml2 | Out of support scope |
| Red Hat Enterprise Linux 8 | libxml2 | Fix deferred |
| Red Hat Enterprise Linux 9 | libxml2 | Fix deferred |
| Red Hat JBoss Core Services | libxml2 | Fix deferred |
| Red Hat OpenShift Container Platform 4 | rhcos | Fix deferred |
Apply commands
yum update -y libxml2-main
# or:
dnf upgrade -y libxml2-mainOS impact
Arch Affected 1 release
| Version | Status | Fixed in |
|---|---|---|
| โ | Affected | โ |
Red Hat Affected 5 releases
| Version | Status | Fixed in |
|---|---|---|
| 10.0 | Affected | โ |
| 9.0 | Affected | โ |
| 8.0 | Affected | โ |
| 7.0 | Affected | โ |
| 6.0 | Affected | โ |
SUSE Affected 1 release
| Version | Status | Fixed in |
|---|---|---|
| โ | Affected | โ |
Debian Fixed 5 releases
| Version | Status | Fixed in |
|---|---|---|
| trixie | Fixed | 2.12.7+dfsg+really2.9.14-2.1 |
| sid | Fixed | 2.12.7+dfsg+really2.9.14-2.1 |
| forky | Fixed | 2.12.7+dfsg+really2.9.14-2.1 |
| bullseye | Fixed | 2.9.10+dfsg-6.7+deb11u8 |
| bookworm | Fixed | 2.9.14+dfsg-1.3~deb12u3 |
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| redhat | jboss_core_services | - | |
| redhat | openshift_container_platform | 4.0 | |
| xmlsoft | libxml2 | - | |
References
- https://www.suse.com/security/cve/CVE-2025-6170.html
- https://security-tracker.debian.org/tracker/CVE-2025-6170
- https://access.redhat.com/errata/RHSA-2026:7519
- https://access.redhat.com/security/cve/CVE-2025-6170
- https://bugzilla.redhat.com/show_bug.cgi?id=2372952
- https://gitlab.gnome.org/GNOME/libxml2/-/issues/941
- https://lists.debian.org/debian-lts-announce/2025/07/msg00014.html
- https://cert-portal.siemens.com/productcert/html/ssa-253495.html
CWEs
CWE-121
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.