2458840 – CVE-2025-49795 libxml2: NULL pointer dereference in XPath expression processing [fedora-43]

Bug 2458840 - CVE-2025-49795 libxml2: NULL pointer dereference in XPath expression processing [fedora-43]

Summary: CVE-2025-49795 libxml2: NULL pointer dereference in XPath expression processi...

Keywords:
Status:	NEW
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	libxml2
Sub Component:
Version:	43
Hardware:	Unspecified
OS:	Linux
Priority:	unspecified
Severity:	high
Target Milestone:	---
Assignee:	David King
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2026-04-15 21:59 UTC by unclebob
Modified:	2026-04-15 21:59 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description unclebob 2026-04-15 21:59:48 UTC

libxml2-2.12.10-5.fc43 is affected by CVE-2025-49795.

Affected versions: libxml2 >= 2.10.0 (vulnerability introduced in 2.10.0)
Fixed in: libxml2 2.14.5
Upstream fix: https://gitlab.gnome.org/GNOME/libxml2/-/commit/499bcb78ab389f60c2fd634ce410d4bb85c18765

available version in fedora repository libxml2-2.12.10-5.fc43

Did not see that this CVE is fixed in any patch.

Reproducible: Always

Note You need to log in before you can comment on or make changes to this bug.