In libxml2 before 2.13.8 and 2.14.x before 2.14.2, out-of-bounds memory access can occur in the Python API (Python bindings) because of an incorrect return value. This occurs in xmlPythonFileRead and xmlPythonFileReadRaw because of a difference between bytes and characters.

FA plugin updates for vendor_unpatched: 2025/04/08 13:22 chunk 1/1

The remote AlmaLinux 8 host has packages installed that are affected by a vulnerability as referenced in the ALSA-2025:8958 advisory.

    * libxml2: Out-of-Bounds Read in libxml2 (CVE-2025-32414)

Tenable has extracted the preceding description block directly from the AlmaLinux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

An update of the libxml2 package has been released.

The remote Debian 12 host has packages installed that are affected by multiple vulnerabilities as referenced in the dsa-5949 advisory.

    - -------------------------------------------------------------------------     Debian Security Advisory DSA-5949-1                   security@debian.org     https://www.debian.org/security/                                  Aron Xu     June 26, 2025                         https://www.debian.org/security/faq
    - -------------------------------------------------------------------------

    Package        : libxml2     CVE ID         : CVE-2022-49043 CVE-2023-39615 CVE-2023-45322 CVE-2024-25062                      CVE-2024-34459 CVE-2024-56171 CVE-2025-24928 CVE-2025-27113                      CVE-2025-32414 CVE-2025-32415     Debian Bug     : 1051230 1053629 1063234 1071162 1094238 1098320 1098321 1098322 1102521 1103511

    Brief introduction


    Multiple memory related vulnerabilities, inlcuding use-after-free,     out-of-bounds memory access and NULL pointer dereference, were discovered in     GNOME XML Parser and Toolkit Library and its Python bindings, which may cause     denial of service or other unintended behaviors.

    For the stable distribution (bookworm), these problems have been fixed in     version 2.9.14+dfsg-1.3~deb12u2.

    We recommend that you upgrade your libxml2 packages.

    For the detailed security status of libxml2 please refer to     its security tracker page at:
    https://security-tracker.debian.org/tracker/libxml2

    Further information about Debian Security Advisories, how to apply     these updates to your system and frequently asked questions can be     found at: https://www.debian.org/security/

    Mailing list: debian-security-announce@lists.debian.org

Tenable has extracted the preceding description block directly from the Debian security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Alibaba Cloud Linux 3 host has packages installed that are affected by a vulnerability as referenced in the ALINUX3-SA-2025:0091 advisory.

    Package updates are available for Alibaba Cloud Linux 3 that fix the following vulnerabilities:

    CVE-2025-32414:
    In libxml2 before 2.13.8 and 2.14.x before 2.14.2, out-of-bounds memory access can occur in the Python API     (Python bindings) because of an incorrect return value. This occurs in xmlPythonFileRead and     xmlPythonFileReadRaw because of a difference between bytes and characters.

Tenable has extracted the preceding description block directly from the Alibaba Cloud Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Oracle Linux 8 host has packages installed that are affected by a vulnerability as referenced in the ELSA-2025-8958 advisory.

    [2.9.7-20]
    - Fix CVE-2025-32414 (RHEL-88198)

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2025:8958 advisory.

    The libxml2 library is a development toolbox providing the implementation of various XML standards.

    Security Fix(es):

    * libxml2: Out-of-Bounds Read in libxml2 (CVE-2025-32414)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the 2926c487-3e53-11f0-95d4-00a098b42aeb advisory.

    cve@mitre.org reports:
    In libxml2 before 2.13.8 and 2.14.x before 2.14.2, out-of-bounds             memory access can occur in the Python API (Python bindings) because             of an incorrect return value.  This occurs in xmlPythonFileRead and             xmlPythonFileReadRaw because of a difference between bytes and             characters.

Tenable has extracted the preceding description block directly from the FreeBSD security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of libxml2 installed on the remote host is prior to 2.9.1-6. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2025-2860 advisory.

    In libxml2 before 2.13.8 and 2.14.x before 2.14.2, out-of-bounds memory access can occur in the Python API     (Python bindings) because of an incorrect return value. This occurs in xmlPythonFileRead and     xmlPythonFileReadRaw because of a difference between bytes and characters. (CVE-2025-32414)

    In libxml2 before 2.13.8 and 2.14.x before 2.14.2, xmlSchemaIDCFillNodeTables in xmlschemas.c has a heap-     based buffer under-read. To exploit this, a crafted XML document must be validated against an XML schema     with certain identity constraints, or a crafted XML schema must be used. (CVE-2025-32415)

Tenable has extracted the preceding description block directly from the tested product security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

According to its self-reported version, the Nessus Network Monitor running on the remote host is prior to 6.5.1. It is, therefore, affected by multiple vulnerabilities as referenced in the TNS-2025-10 advisory.

  - In libxml2 before 2.13.8 and 2.14.x before 2.14.2, xmlSchemaIDCFillNodeTables in xmlschemas.c has a     heap-based buffer under-read. To exploit this, a crafted XML document must be validated against an XML     schema with certain identity constraints, or a crafted XML schema must be used. (CVE-2025-32415)

  - When installing Tenable Network Monitor to a non-default location on a Windows host, Tenable Network     Monitor versions prior to 6.5.1 did not enforce secure permissions for sub-directories. This could allow     for local privilege escalation if users had not secured the directories in the non-default installation     location. (CVE-2025-24916)

  - In Tenable Network Monitor versions prior to 6.5.1 on a Windows host, it was found that a     non-administrative user could stage files in a local directory to run arbitrary code with SYSTEM     privileges, potentially leading to local privilege escalation. (CVE-2025-24917)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2025-963 advisory.

    In libxml2 before 2.13.8 and 2.14.x before 2.14.2, out-of-bounds memory access can occur in the Python API     (Python bindings) because of an incorrect return value. This occurs in xmlPythonFileRead and     xmlPythonFileReadRaw because of a difference between bytes and characters. (CVE-2025-32414)

    In libxml2 before 2.13.8 and 2.14.x before 2.14.2, xmlSchemaIDCFillNodeTables in xmlschemas.c has a heap-     based buffer under-read. To exploit this, a crafted XML document must be validated against an XML schema     with certain identity constraints, or a crafted XML schema must be used. (CVE-2025-32415)

Tenable has extracted the preceding description block directly from the tested product security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES12 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2025:1440-1 advisory.

    - CVE-2025-32414: Fixed an out-of-bounds read when parsing text via the Python API. (bsc#1241551)
    - CVE-2025-32415: Fixed a crafted XML document may lead to a heap-based buffer under-read. (bsc#1241453)

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote openSUSE 15 host has a package installed that is affected by multiple vulnerabilities as referenced in the SUSE-SU-2025:1439-1 advisory.

    - CVE-2025-32414: Fixed an out-of-bounds read when parsing text via the Python API. (bsc#1241551)
    - CVE-2025-32415: Fixed a crafted XML document may lead to a heap-based buffer under-read. (bsc#1241453)

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLED15 / SLED_SAP15 / SLES15 / SLES_SAP15 / openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2025:1438-1 advisory.

    - CVE-2025-32414: Fixed an out-of-bounds read when parsing text via the Python API. (bsc#1241551)
    - CVE-2025-32415: Fixed a crafted XML document may lead to a heap-based buffer under-read. (bsc#1241453)

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Debian 11 host has packages installed that are affected by multiple vulnerabilities as referenced in the dla-4146 advisory.

    - -------------------------------------------------------------------------     Debian LTS Advisory DLA-4146-1                debian-lts@lists.debian.org     https://www.debian.org/lts/security/                    Thorsten Alteholz     April 30, 2025                                https://wiki.debian.org/LTS
    - -------------------------------------------------------------------------

    Package        : libxml2     Version        : 2.9.10+dfsg-6.7+deb11u7     CVE ID         : CVE-2025-32414 CVE-2025-32415


    Two issues have been found in libxml2, the GNOME XML library.
    Thy are related to an out-of-bounds memory access in the Python API and a     heap-buffer-overflow in xmlSchemaIDCFillNodeTables().



    For Debian 11 bullseye, these problems have been fixed in version     2.9.10+dfsg-6.7+deb11u7.

    We recommend that you upgrade your libxml2 packages.

    For the detailed security status of libxml2 please refer to     its security tracker page at:
    https://security-tracker.debian.org/tracker/libxml2

    Further information about Debian LTS security advisories, how to apply     these updates to your system and frequently asked questions can be     found at: https://wiki.debian.org/LTS

Tenable has extracted the preceding description block directly from the Debian security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Ubuntu 20.04 LTS / 22.04 LTS / 24.04 LTS / 24.10 / 25.04 host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-7467-1 advisory.

    It was discovered that the libxml2 Python bindings incorrectly handled certain return values. An attacker     could possibly use this issue to cause libxml2 to crash, resulting in a denial of service.
    (CVE-2025-32414)

    It was discovered that libxml2 incorrectly handled certain memory operations. A remote attacker could     possibly use this issue to cause libxml2 to crash, resulting in a denial of service. (CVE-2025-32415)

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of libxml2 installed on the remote host is affected by multiple vulnerabilities.

  - In libxml2 before 2.13.8 and 2.14.x before 2.14.2, out-of-bounds memory access can occur in the Python     API (Python bindings) because of an incorrect return value. This occurs in xmlPythonFileRead and     xmlPythonFileReadRaw because of a difference between bytes and characters. (CVE-2025-32414)

  - In libxml2 before 2.13.8 and 2.14.x before 2.14.2, xmlSchemaIDCFillNodeTables in xmlschemas.c has a     heap-based buffer under-read. To exploit this, a crafted XML document must be validated against an XML     schema with certain identity constraints, or a crafted XML schema must be used. (CVE-2025-32415)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of libxml2 installed on the remote host is prior to 2.11.9 / 2.13.8. It is, therefore, affected by multiple vulnerabilities as referenced in the SSA:2025-108-01 advisory.

    New libxml2 packages are available for Slackware 15.0 and -current to fix security issues.

Tenable has extracted the preceding description block directly from the libxml2 security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available.

  - In libxml2 before 2.13.8 and 2.14.x before 2.14.2, out-of-bounds memory access can occur in the Python API     (Python bindings) because of an incorrect return value. This occurs in xmlPythonFileRead and     xmlPythonFileReadRaw because of a difference between bytes and characters. (CVE-2025-32414)

Note that Nessus relies on the presence of the package as reported by the vendor.

ID	Name	Product	Family	Severity
240954	AlmaLinux 8 : libxml2 (ALSA-2025:8958)	Nessus	Alma Linux Local Security Checks	high
240631	Photon OS 4.0: Libxml2 PHSA-2025-4.0-0821	Nessus	PhotonOS Local Security Checks	high
240559	Debian dsa-5949 : libxml2 - security update	Nessus	Debian Local Security Checks	high
240419	Alibaba Cloud Linux 3 : 0091: libxml2 (ALINUX3-SA-2025:0091)	Nessus	Alibaba Cloud Linux Local Security Checks	high
238320	Oracle Linux 8 : libxml2 (ELSA-2025-8958)	Nessus	Oracle Linux Local Security Checks	high
238251	RHEL 8 : libxml2 (RHSA-2025:8958)	Nessus	Red Hat Local Security Checks	high
237625	FreeBSD : libxml2 -- Out-of-bounds memory access (2926c487-3e53-11f0-95d4-00a098b42aeb)	Nessus	FreeBSD Local Security Checks	high
237474	Amazon Linux 2 : libxml2 (ALAS-2025-2860)	Nessus	Amazon Linux Local Security Checks	high
237289	Nessus Network Monitor < 6.5.1 Multiple Vulnerabilities (TNS-2025-10)	Nessus	Misc.	high
235884	Amazon Linux 2023 : libxml2, libxml2-devel, libxml2-static (ALAS2023-2025-963)	Nessus	Amazon Linux Local Security Checks	high
235176	Photon OS 5.0: Libxml2 PHSA-2025-5.0-0516	Nessus	PhotonOS Local Security Checks	high
235097	SUSE SLES12 Security Update : libxml2 (SUSE-SU-2025:1440-1)	Nessus	SuSE Local Security Checks	high
235093	openSUSE 15 Security Update : libxml2 (SUSE-SU-2025:1439-1)	Nessus	SuSE Local Security Checks	high
235089	SUSE SLED15 / SLES15 / openSUSE 15 Security Update : libxml2 (SUSE-SU-2025:1438-1)	Nessus	SuSE Local Security Checks	high
235029	Debian dla-4146 : libxml2 - security update	Nessus	Debian Local Security Checks	high
234907	Ubuntu 20.04 LTS / 22.04 LTS / 24.04 LTS / 24.10 / 25.04 : libxml2 vulnerabilities (USN-7467-1)	Nessus	Ubuntu Local Security Checks	high
234891	libxml2 < 2.13.8 / 2.14.x < 2.14.2 Multiple Vulnerabilities (macOS)	Nessus	MacOS X Local Security Checks	high
234628	Slackware Linux 15.0 / current libxml2 Multiple Vulnerabilities (SSA:2025-108-01)	Nessus	Slackware Local Security Checks	medium
234202	Linux Distros Unpatched Vulnerability : CVE-2025-32414	Nessus	Misc.	medium

Detections

Analytics

CVE-2025-32414

high

Tenable Plugins

Coming Soon

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high

medium

medium