Bug 2458840

Summary: CVE-2025-49795 libxml2: NULL pointer dereference in XPath expression processing [fedora-43]
Product: [Fedora] Fedora Reporter: unclebob <dandack>
Component: libxml2Assignee: David King <amigadave>
Status: NEW --- QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: unspecified    
Version: 43CC: amigadave
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description unclebob 2026-04-15 21:59:48 UTC 
libxml2-2.12.10-5.fc43 is affected by CVE-2025-49795.

Affected versions: libxml2 >= 2.10.0 (vulnerability introduced in 2.10.0)
Fixed in: libxml2 2.14.5
Upstream fix: https://gitlab.gnome.org/GNOME/libxml2/-/commit/499bcb78ab389f60c2fd634ce410d4bb85c18765

available version in fedora repository libxml2-2.12.10-5.fc43

Did not see that this CVE is fixed in any patch.

Reproducible: Always