CVE-2025-49795: Libxml: null pointer dereference leads to denial of service (dos)
A NULL pointer dereference vulnerability was found in libxml2 when processing XPath XML expressions. This flaw allows an attacker to craft a malicious XML input to libxml2, leading to a denial of service.
Security readout for executives and security teams
Plain-English summary
Libxml2 can crash when handling malicious XPath XML input, causing denial of service. The issue affects availability, not data theft or data modification, based on the supplied CVSS vector. Business urgency depends on whether exposed services parse untrusted XML using affected libxml2 builds.
Executive priority
Treat as a high-priority availability issue where XML processing is exposed to untrusted users. It is less urgent for systems that do not process external XML or run unaffected distributions, but affected internet-facing services should be patched promptly.
Technical view
CVE-2025-49795 is a NULL pointer dereference in libxml2 XPath XML expression processing. The supplied CVSS 3.1 score is 7.5: network reachable, low complexity, no privileges, no user interaction, availability impact high, confidentiality and integrity unaffected.
Likely exposure
Likely exposure is highest for applications or appliances that accept untrusted XML and evaluate XPath through affected libxml2 packages. The bundle lists Red Hat Enterprise Linux 10 libxml2 and Red Hat Hardened Images libxml2-main as affected; RHEL 7, 8, and 9 are listed unaffected.
Exploitation context
The source bundle does not show CISA KEV listing or cited evidence of active exploitation. Exploitation context should be treated as plausible denial-of-service risk against XML-processing entry points, not proven real-world exploitation.
Researcher notes
Evidence is strongest for Red Hat package status and the libxml2 flaw description. The bundle does not provide exploit details, proof of active exploitation, or complete downstream product impact. RHEL 6 status is unknown in the supplied data.
Mitigation direction
Apply relevant Red Hat errata where affected packages are installed.
Prioritize internet-facing or partner-facing XML-processing services.
Check vendor guidance for Siemens or other products bundling libxml2.
Reduce acceptance of untrusted XML where operationally possible.
Monitor XML-processing services for abnormal crashes or restart loops.
Validation and detection
Inventory libxml2 package versions across Linux hosts and images.
Map applications that parse XML or evaluate XPath from external input.
Compare installed packages with Red Hat affected and unaffected status.
Review vendor advisories for embedded or appliance dependencies.
Confirm patched systems no longer run affected package builds.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · low confidence lookup
CWE-825: Exact CWE lookup
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-825 · source CWE mapping
Expired Pointer Dereference
Expired Pointer Dereference represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.