{"id":"CVE-2025-49795","details":"A NULL pointer dereference vulnerability was found in libxml2 when processing XPath XML expressions. This flaw allows an attacker to craft a malicious XML input to libxml2, leading to a denial of service.","modified":"2026-03-12T02:19:36.245911830Z","published":"2025-06-16T16:15:19Z","withdrawn":"2025-07-11T01:04:25.539992Z","related":["ALSA-2025:10630","MGASA-2025-0269","SUSE-SU-2025:02260-1","SUSE-SU-2025:02314-1","SUSE-SU-2025:20564-1","SUSE-SU-2025:20607-1","openSUSE-SU-2025:15321-1"],"references":[{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2025:10630"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2372379"},{"type":"WEB","url":"https://access.redhat.com/security/cve/CVE-2025-49795"},{"type":"ADVISORY","url":"https://security-tracker.debian.org/tracker/CVE-2025-49795"}],"affected":[{"package":{"name":"libxml2","ecosystem":"Debian:12","purl":"pkg:deb/debian/libxml2?arch=source"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["2.12.3+dfsg-0exp1","2.12.5+dfsg-0exp1","2.12.6+dfsg-0exp1","2.12.6+dfsg-0exp2","2.12.7+dfsg+really2.9.14-0.1","2.12.7+dfsg+really2.9.14-0.2","2.12.7+dfsg+really2.9.14-0.3","2.12.7+dfsg+really2.9.14-0.4","2.12.7+dfsg+really2.9.14-1","2.12.7+dfsg-1","2.12.7+dfsg-2","2.12.7+dfsg-3","2.13.1+dfsg-0exp1","2.13.3+dfsg-0exp1","2.13.3+dfsg-0exp2","2.14.1+dfsg-0exp1","2.14.2+dfsg-0exp1","2.14.3+dfsg-0exp1","2.14.3+dfsg-0exp2","2.14.3+dfsg-0exp3","2.14.4+dfsg-0exp1","2.9.14+dfsg-1.2","2.9.14+dfsg-1.3","2.9.14+dfsg-1.3~deb12u1","2.9.14+dfsg-1.3~deb12u2"],"ecosystem_specific":{"urgency":"not yet assigned"},"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-49795.json"}},{"package":{"name":"libxml2","ecosystem":"Debian:13","purl":"pkg:deb/debian/libxml2?arch=source"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["2.12.3+dfsg-0exp1","2.12.5+dfsg-0exp1","2.12.6+dfsg-0exp1","2.12.6+dfsg-0exp2","2.12.7+dfsg+really2.9.14-0.1","2.12.7+dfsg+really2.9.14-0.2","2.12.7+dfsg+really2.9.14-0.3","2.12.7+dfsg+really2.9.14-0.4","2.12.7+dfsg+really2.9.14-1","2.12.7+dfsg-1","2.12.7+dfsg-2","2.12.7+dfsg-3","2.13.1+dfsg-0exp1","2.13.3+dfsg-0exp1","2.13.3+dfsg-0exp2","2.14.1+dfsg-0exp1","2.14.2+dfsg-0exp1","2.14.3+dfsg-0exp1","2.14.3+dfsg-0exp2","2.14.3+dfsg-0exp3","2.14.4+dfsg-0exp1","2.9.14+dfsg-1.2","2.9.14+dfsg-1.3","2.9.14+dfsg-1.3~deb12u1","2.9.14+dfsg-1.3~deb12u2"],"ecosystem_specific":{"urgency":"not yet assigned"},"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-49795.json"}}],"schema_version":"1.7.3"}