CVE-2025-27113
Published: 18 February 2025
Description
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Security Summary
CVE-2025-27113 is a NULL pointer dereference vulnerability in the xmlPatMatch function within pattern.c of the libxml2 library. It affects libxml2 versions before 2.12.10 as well as 2.13.x versions before 2.13.6. The vulnerability, classified under CWE-476, was published on 2025-02-18 and carries a CVSS v3.1 base score of 2.9.
A local attacker (AV:L) with no privileges (PR:N) and no user interaction (UI:N) required can exploit this issue through a high-complexity attack (AC:H) within unchanged scope (S:U). Successful exploitation results in limited availability impact (A:L) via a crash or denial of service, with no impact on confidentiality or integrity (C:N/I:N).
Advisories recommend upgrading to libxml2 2.12.10 or later for the 2.12 series, or 2.13.6 or later for the 2.13 series to mitigate the issue. Further technical details are documented in the libxml2 GitLab issue at https://gitlab.gnome.org/GNOME/libxml2/-/issues/861, along with full disclosure reports at http://seclists.org/fulldisclosure/2025/Apr/10, http://seclists.org/fulldisclosure/2025/Apr/11, http://seclists.org/fulldisclosure/2025/Apr/12, and http://seclists.org/fulldisclosure/2025/Apr/13.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
NULL pointer dereference in libxml2 causes crash/DoS, directly mapping to application exploitation for endpoint denial of service (T1499.004).