CVE-2025-24928

HIGH

libxml2 <2.12.10 & 2.13.x <2.13.6 - Buffer Overflow

Title source: llm

Description

libxml2 before 2.12.10 and 2.13.x before 2.13.6 has a stack-based buffer overflow in xmlSnprintfElements in valid.c. To exploit this, DTD validation must occur for an untrusted document or untrusted DTD. NOTE: this is similar to CVE-2017-9047.

References (4)

[Issue Tracking] https://gitlab.gnome.org/GNOME/libxml2/-/issues/847

[Issue Tracking] https://issues.oss-fuzz.com/issues/392687022

[Mailing List] https://lists.debian.org/debian-lts-announce/2025/02/msg00028.html

[Third Party Advisory] https://security.netapp.com/advisory/ntap-20250321-0006/

Scores

CVSS v3 7.8

EPSS 0.0013

EPSS Percentile 32.7%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N

Classification

CWE

CWE-121

Status published

Affected Products (11)

netapp/active_iq_unified_manager

netapp/manageability_software_development_kit

netapp/ontap

netapp/solidfire_\&_hci_management_node

xmlsoft/libxml2 < 2.12.10

netapp/hci_compute_node

netapp/h410c_firmware

netapp/h300s_firmware

netapp/h500s_firmware

netapp/h700s_firmware

netapp/h410s_firmware

Timeline

Published Feb 18, 2025

Tracked Since Feb 18, 2026