2413323 – (CVE-2025-12863) CVE-2025-12863 libxml2: Namespace Use-After-Free in xmlSetTreeDoc() function of libxml2

Bug 2413323 (CVE-2025-12863) - CVE-2025-12863 libxml2: Namespace Use-After-Free in xmlSetTreeDoc() function of libxml2

Summary: CVE-2025-12863 libxml2: Namespace Use-After-Free in xmlSetTreeDoc() function ...

Keywords:
Status:	NEW
Alias:	CVE-2025-12863
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2413330 2413331 2413332 2413333 2413334 2413335 2413336 2413337 2413338 2413339 2413340 2413341 2413342 2413343 2413344 2413345
Blocks:
TreeView+	depends on / blocked

Reported:	2025-11-07 10:36 UTC by OSIDB Bzimport
Modified:	2025-11-07 11:19 UTC (History)
CC List:	16 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2025-11-07 10:36:18 UTC

Use-After-Free (UAF) vulnerability in the namespace handling logic of libxml2, occurring in the xmlSetTreeDoc() function. The flaw arises when XML nodes with namespaces are moved between documents using xmlAddChild() or xmlReplaceNode(). The internal function xmlNodeSetDoc() updates the node’s document pointer but fails to update its ns (namespace) reference, which still points to memory from the original document. Once the source document is freed, any subsequent operation accessing the namespace (e.g., serialization via xmlDocDumpMemory()) leads to a UAF and potential crash. The issue can be triggered by crafted XML documents processed by applications using libxml2, and may result in a denial of service.

Note You need to log in before you can comment on or make changes to this bug.