Bug 2372406 (CVE-2025-6021)

Summary: CVE-2025-6021 libxml2: Integer Overflow in xmlBuildQName() Leads to Stack Buffer Overflow in libxml2
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: adudiak, caswilli, crizzo, csutherl, dfreiber, drow, jburrell, jclere, jmitchel, jtanner, kaycoth, kshier, omaciel, pjindal, plodge, stcannon, szappis, vkumar, yguenane
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in libxml2's xmlBuildQName function, where integer overflows in buffer size calculations can lead to a stack-based buffer overflow. This issue can result in memory corruption or a denial of service when processing crafted input.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2372411, 2372412, 2372413, 2372414, 2372415, 2372416, 2372417, 2372418, 2372419, 2372420, 2372421, 2372422    
Bug Blocks:    

Description OSIDB Bzimport 2025-06-12 07:58:27 UTC 
Integer Overflow (Wraparound) vulnerability in the xmlBuildQName() function in libxml2. The flaw arises due to unsafe arithmetic when concatenating XML name components using the lengths of prefix and local name. These lengths, originally size_t, are cast to int, leading to incorrect calculations when values are large. If exploited, the function can perform a memcpy with an extremely large size, causing a stack buffer overflow. This vulnerability is remotely exploitable if the attacker can influence XML content passed to affected applications, potentially resulting in denial of service.
Comment 1 errata-xmlrpc 2025-07-08 21:09:56 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2025:10630 https://access.redhat.com/errata/RHSA-2025:10630
Comment 2 errata-xmlrpc 2025-07-09 11:52:10 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2025:10698 https://access.redhat.com/errata/RHSA-2025:10698
Comment 3 errata-xmlrpc 2025-07-09 11:58:19 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2025:10699 https://access.redhat.com/errata/RHSA-2025:10699
Comment 9 errata-xmlrpc 2025-07-17 15:27:04 UTC 
This issue has been addressed in the following products:

  RHEL-8 based Middleware Containers

Via RHSA-2025:11386 https://access.redhat.com/errata/RHSA-2025:11386
Comment 10 errata-xmlrpc 2025-07-23 04:57:41 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.4 Extended Update Support

Via RHSA-2025:11580 https://access.redhat.com/errata/RHSA-2025:11580
Comment 12 errata-xmlrpc 2025-07-29 07:05:23 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.19

Via RHSA-2025:11673 https://access.redhat.com/errata/RHSA-2025:11673
Comment 13 errata-xmlrpc 2025-07-29 13:01:01 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions

Via RHSA-2025:12099 https://access.redhat.com/errata/RHSA-2025:12099
Comment 14 errata-xmlrpc 2025-07-29 13:02:17 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.6 Telecommunications Update Service

Via RHSA-2025:12098 https://access.redhat.com/errata/RHSA-2025:12098
Comment 15 errata-xmlrpc 2025-07-29 15:57:32 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions

Via RHSA-2025:12199 https://access.redhat.com/errata/RHSA-2025:12199
Comment 16 errata-xmlrpc 2025-07-30 05:33:37 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Advanced Update Support

Via RHSA-2025:12237 https://access.redhat.com/errata/RHSA-2025:12237
Comment 17 errata-xmlrpc 2025-07-30 07:07:09 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On

Via RHSA-2025:12241 https://access.redhat.com/errata/RHSA-2025:12241
Comment 18 errata-xmlrpc 2025-07-30 07:08:30 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.8 Telecommunications Update Service

Via RHSA-2025:12239 https://access.redhat.com/errata/RHSA-2025:12239
Comment 19 errata-xmlrpc 2025-07-30 07:10:19 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7 Extended Lifecycle Support

Via RHSA-2025:12240 https://access.redhat.com/errata/RHSA-2025:12240
Comment 33 errata-xmlrpc 2025-08-13 05:40:33 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.16

Via RHSA-2025:13336 https://access.redhat.com/errata/RHSA-2025:13336
Comment 34 errata-xmlrpc 2025-08-13 05:49:43 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.18

Via RHSA-2025:13325 https://access.redhat.com/errata/RHSA-2025:13325
Comment 35 errata-xmlrpc 2025-08-14 04:08:16 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2025:13289 https://access.redhat.com/errata/RHSA-2025:13289
Comment 45 errata-xmlrpc 2025-08-27 21:45:12 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.17

Via RHSA-2025:14059 https://access.redhat.com/errata/RHSA-2025:14059
Comment 46 errata-xmlrpc 2025-08-27 21:45:51 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2025:14396 https://access.redhat.com/errata/RHSA-2025:14396
Comment 50 errata-xmlrpc 2025-09-11 12:01:04 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.12

Via RHSA-2025:15308 https://access.redhat.com/errata/RHSA-2025:15308
Comment 51 errata-xmlrpc 2025-09-18 05:45:06 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2025:15672 https://access.redhat.com/errata/RHSA-2025:15672
Comment 62 errata-xmlrpc 2025-10-27 17:46:33 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Core Services 2.4.62.SP2

Via RHSA-2025:19020 https://access.redhat.com/errata/RHSA-2025:19020