CVE-2025-12863
Published: November 8, 2025Last modified: November 16, 2025
Description
A flaw was found in the xmlSetTreeDoc() function of the libxml2 XML parsing library. This function is responsible for updating document pointers when XML nodes are moved between documents. Due to improper handling of namespace references, a namespace pointer may remain linked to a freed memory region when the original document is destroyed. As a result, subsequent operations that access the namespace can lead to a use-after-free condition, causing an application crash.
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 7.5 |
| Attack Vector | NETWORK |
| Attack complexity | LOW |
| Privileges required | NONE |
| User interaction | NONE |
| Scope | UNCHANGED |
| Confidentiality | NONE |
| Integrity impact | NONE |
| Availability impact | HIGH |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
Status
| Product | Release | Package | Status |
|---|---|---|---|
| Alpaquita Linux | 23 LTS | libxml2 | Vulnerable (2.10.3-r2) |
| 25 LTS | libxml2 | Vulnerable (2.13.8-r0) | |
| Stream | libxml2 | Vulnerable (2.10.3-r2) | |
| Hardened Containers | 23 LTS | libxml2 | Vulnerable (2.10.3-r2) |
| Stream | libxml2 | Vulnerable (2.10.3-r2) |