CVE-2025-32414

NameCVE-2025-32414
DescriptionIn libxml2 before 2.13.8 and 2.14.x before 2.14.2, out-of-bounds memory access can occur in the Python API (Python bindings) because of an incorrect return value. This occurs in xmlPythonFileRead and xmlPythonFileReadRaw because of a difference between bytes and characters.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-4146-1, DSA-5949-1
Debian Bugs1102521

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libxml2 (PTS)bullseye2.9.10+dfsg-6.7+deb11u4vulnerable
bullseye (security)2.9.10+dfsg-6.7+deb11u9fixed
bookworm, bookworm (security)2.9.14+dfsg-1.3~deb12u4fixed
trixie (security), trixie2.12.7+dfsg+really2.9.14-2.1+deb13u1fixed
forky2.14.6+dfsg-0.1fixed
sid2.15.1+dfsg-0.3fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libxml2sourcebullseye2.9.10+dfsg-6.7+deb11u7DLA-4146-1
libxml2sourcebookworm2.9.14+dfsg-1.3~deb12u2DSA-5949-1
libxml2source(unstable)2.12.7+dfsg+really2.9.14-11102521

Notes

https://gitlab.gnome.org/GNOME/libxml2/-/issues/889
Search for package or bug name: Reporting problems