CVE-2025-7425 | THREATINT

Description

A flaw was found in libxslt where the attribute type, atype, flags are modified in a way that corrupts internal memory management. When XSLT functions, such as the key() process, result in tree fragments, this corruption prevents the proper cleanup of ID attributes. As a result, the system may access freed memory, causing crashes or enabling attackers to trigger heap corruption.

PUBLISHED Reserved 2025-07-10 | Published 2025-07-10 | Updated 2026-06-06 | Assigner redhat

HIGH: 7.8CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:H

Problem types

Use After Free

Product status

Default status

unaffected

Any version before 2.15.2

affected

Default status

affected

0:2.12.5-8.el10_0 (rpm) before *

unaffected

Default status

affected

0:1.1.39-8.el10_0 (rpm) before *

unaffected

Default status

affected

0:2.9.1-6.el7_9.12 (rpm) before *

unaffected

Default status

affected

0:2.9.7-21.el8_10.2 (rpm) before *

unaffected

Default status

affected

0:2.9.7-21.el8_10.2 (rpm) before *

unaffected

Default status

affected

0:2.9.7-9.el8_2.4 (rpm) before *

unaffected

Default status

affected

0:2.9.7-9.el8_4.7 (rpm) before *

unaffected

Default status

affected

0:2.9.7-9.el8_4.7 (rpm) before *

unaffected

Default status

affected

0:2.9.7-13.el8_6.11 (rpm) before *

unaffected

Default status

affected

0:2.9.7-13.el8_6.11 (rpm) before *

unaffected

Default status

affected

0:2.9.7-13.el8_6.11 (rpm) before *

unaffected

Default status

affected

0:2.9.7-16.el8_8.10 (rpm) before *

unaffected

Default status

affected

0:2.9.7-16.el8_8.10 (rpm) before *

unaffected

Default status

affected

0:2.9.13-11.el9_6 (rpm) before *

unaffected

Default status

affected

0:2.9.13-11.el9_6 (rpm) before *

unaffected

Default status

affected

0:2.9.13-1.el9_0.6 (rpm) before *

unaffected

Default status

affected

0:2.9.13-3.el9_2.8 (rpm) before *

unaffected

Default status

affected

0:2.9.13-11.el9_4 (rpm) before *

unaffected

Default status

affected

412.86.202509030110-0 (rpm) before *

unaffected

Default status

affected

413.92.202509030117-0 (rpm) before *

unaffected

Default status

affected

414.92.202508270040-0 (rpm) before *

unaffected

Default status

affected

415.92.202508192014-0 (rpm) before *

unaffected

Default status

affected

416.94.202508261955-0 (rpm) before *

unaffected

Default status

affected

417.94.202508141510-0 (rpm) before *

unaffected

Default status

affected

418.94.202508261658-0 (rpm) before *

unaffected

Default status

affected

4.19.9.6.202508271124-0 (rpm) before *

unaffected

Default status

affected

1.11-19 (rpm) before *

unaffected

Default status

affected

1.11-8 (rpm) before *

unaffected

Default status

affected

1.12-4 (rpm) before *

unaffected

Default status

affected

1.36.0-11 (rpm) before *

unaffected

Default status

affected

1.36.0-11 (rpm) before *

unaffected

Default status

affected

1.36.0-11 (rpm) before *

unaffected

Default status

affected

1.36.0-10 (rpm) before *

unaffected

Default status

affected

1.36.0-10 (rpm) before *

unaffected

Default status

affected

1.36.0-4 (rpm) before *

unaffected

Default status

affected

1.36.0-9 (rpm) before *

unaffected

Default status

affected

1.36.0-12 (rpm) before *

unaffected

Default status

affected

1.36.0-18 (rpm) before *

unaffected

Default status

affected

1.36.0-11 (rpm) before *

unaffected

Default status

affected

1.36.0-7 (rpm) before *

unaffected

Default status

affected

v1.16.5-1760515757 (rpm) before *

unaffected

Default status

affected

1.8.0 (rpm) before *

unaffected

Default status

affected

1.8.0 (rpm) before *

unaffected

Default status

affected

1.8.0 (rpm) before *

unaffected

Default status

affected

v1.3 (rpm) before *

unaffected

Default status

affected

2.0.1-1754478727 (rpm) before *

unaffected

Default status

affected

2.15.3-0.1.hum1 (rpm) before *

unaffected

Default status

affected

1.5.5-1754504343 (rpm) before *

unaffected

Default status

affected

rhosdt-3.5-1754559657 (rpm) before *

unaffected

Default status

affected

rhosdt-3.5-1754559845 (rpm) before *

unaffected

Default status

affected

rhosdt-3.5-1754559691 (rpm) before *

unaffected

Default status

affected

rhosdt-3.5-1754559660 (rpm) before *

unaffected

Default status

affected

rhosdt-3.5-1754559663 (rpm) before *

unaffected

Default status

affected

rhosdt-3.5-1754559657 (rpm) before *

unaffected

Default status

affected

rhosdt-3.5-1754569861 (rpm) before *

unaffected

Default status

affected

rhosdt-3.5-1754559846 (rpm) before *

unaffected

Default status

affected

rhosdt-3.5-1754559651 (rpm) before *

unaffected

Default status

unknown

Timeline

2025-07-10:	Reported to Red Hat.
2025-07-10:	Made public.

Credits

Red Hat would like to thank Sergei Glazunov (Google Project Zero) for reporting this issue.

References

gitlab.gnome.org/GNOME/libxslt/-/issues/140 exploit

lists.debian.org/debian-lts-announce/2025/09/msg00035.html

seclists.org/fulldisclosure/2025/Aug/0

seclists.org/fulldisclosure/2025/Jul/37

seclists.org/fulldisclosure/2025/Jul/35

seclists.org/fulldisclosure/2025/Jul/32

seclists.org/fulldisclosure/2025/Jul/30

www.openwall.com/lists/oss-security/2025/07/11/2

cert-portal.siemens.com/productcert/html/ssa-265688.html

cert-portal.siemens.com/productcert/html/ssa-082556.html

cert-portal.siemens.com/productcert/html/ssa-577017.html

cert-portal.siemens.com/productcert/html/ssa-032379.html

access.redhat.com/errata/RHBA-2025:12345 (RHBA-2025:12345) vendor-advisory

access.redhat.com/errata/RHSA-2025:12447 (RHSA-2025:12447) vendor-advisory

access.redhat.com/errata/RHSA-2025:12450 (RHSA-2025:12450) vendor-advisory

access.redhat.com/errata/RHSA-2025:13267 (RHSA-2025:13267) vendor-advisory

access.redhat.com/errata/RHSA-2025:13308 (RHSA-2025:13308) vendor-advisory

access.redhat.com/errata/RHSA-2025:13309 (RHSA-2025:13309) vendor-advisory

access.redhat.com/errata/RHSA-2025:13310 (RHSA-2025:13310) vendor-advisory

access.redhat.com/errata/RHSA-2025:13311 (RHSA-2025:13311) vendor-advisory

access.redhat.com/errata/RHSA-2025:13312 (RHSA-2025:13312) vendor-advisory

access.redhat.com/errata/RHSA-2025:13313 (RHSA-2025:13313) vendor-advisory

access.redhat.com/errata/RHSA-2025:13314 (RHSA-2025:13314) vendor-advisory

access.redhat.com/errata/RHSA-2025:13335 (RHSA-2025:13335) vendor-advisory

access.redhat.com/errata/RHSA-2025:13464 (RHSA-2025:13464) vendor-advisory

access.redhat.com/errata/RHSA-2025:13622 (RHSA-2025:13622) vendor-advisory

access.redhat.com/errata/RHSA-2025:14059 (RHSA-2025:14059) vendor-advisory

access.redhat.com/errata/RHSA-2025:14396 (RHSA-2025:14396) vendor-advisory

access.redhat.com/errata/RHSA-2025:14818 (RHSA-2025:14818) vendor-advisory

access.redhat.com/errata/RHSA-2025:14819 (RHSA-2025:14819) vendor-advisory

access.redhat.com/errata/RHSA-2025:14853 (RHSA-2025:14853) vendor-advisory

access.redhat.com/errata/RHSA-2025:14858 (RHSA-2025:14858) vendor-advisory

access.redhat.com/errata/RHSA-2025:15308 (RHSA-2025:15308) vendor-advisory

access.redhat.com/errata/RHSA-2025:15672 (RHSA-2025:15672) vendor-advisory

access.redhat.com/errata/RHSA-2025:15827 (RHSA-2025:15827) vendor-advisory

access.redhat.com/errata/RHSA-2025:15828 (RHSA-2025:15828) vendor-advisory

access.redhat.com/errata/RHSA-2025:18219 (RHSA-2025:18219) vendor-advisory

access.redhat.com/errata/RHSA-2025:21885 (RHSA-2025:21885) vendor-advisory

access.redhat.com/errata/RHSA-2025:21913 (RHSA-2025:21913) vendor-advisory

access.redhat.com/errata/RHSA-2026:0934 (RHSA-2026:0934) vendor-advisory

access.redhat.com/errata/RHSA-2026:11503 (RHSA-2026:11503) vendor-advisory

access.redhat.com/security/cve/CVE-2025-7425 vdb-entry

bugzilla.redhat.com/show_bug.cgi?id=2379274 (RHBZ#2379274) issue-tracking

gitlab.gnome.org/GNOME/libxslt/-/issues/140

cve.org (CVE-2025-7425)

nvd.nist.gov (CVE-2025-7425)

Download JSON