CVE-2025-49794 CRITICAL

CVE-2025-49794: Libxml: heap use after free (uaf) leads to denial of service (dos)

Vendor Red Hat
Product Red Hat JBoss Core Services 2.4.62.SP2
Weakness CWE-825
Published June 16, 2025
Last update June 3, 2026

CVSS base score

9.1/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality None
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

What the vulnerability does

01Description

A use-after-free vulnerability was found in libxml2. This issue occurs when parsing XPath elements under certain circumstances when the XML schematron has the <sch:name path="..."/> schema elements. This flaw allows a malicious actor to craft a malicious XML document used as input for libxml, resulting in the program's crash using libxml or other possible undefined behaviors.

Key dates

02Disclosure timeline

June 16, 2025 CVE published
June 3, 2026 Record updated