CVE-2025-24928

High

Published: 18 February 2025

Published

18 February 2025

Modified

03 November 2025

KEV Added

—

Patch

—

CVSS Score 7.8 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N

EPSS Score 0.0024 46.3th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-24928 is a high-severity Stack-based Buffer Overflow (CWE-121) vulnerability in Xmlsoft Libxml2. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 46.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Flaw remediation requires patching libxml2 to version 2.12.10 or later, directly eliminating the stack-based buffer overflow in xmlSnprintfElements during DTD validation.

SI-16 Memory Protection good match

prevent

Memory protection safeguards such as stack canaries and address space randomization directly mitigate exploitation of the stack-based buffer overflow in libxml2's valid.c.

CM-7 Least Functionality partial match

prevent

Least functionality disables unnecessary DTD validation in libxml2 when processing untrusted documents or DTDs, preventing the precondition required to trigger the buffer overflow.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

Why these techniques?

The local stack-based buffer overflow in libxml2 (requiring no privileges) enables code execution with changed scope and high C/I impact during DTD validation, directly mapping to exploitation for privilege escalation.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

libxml2 before 2.12.10 and 2.13.x before 2.13.6 has a stack-based buffer overflow in xmlSnprintfElements in valid.c. To exploit this, DTD validation must occur for an untrusted document or untrusted DTD. NOTE: this is similar to CVE-2017-9047.

Deeper analysisAI

CVE-2025-24928 is a stack-based buffer overflow in the xmlSnprintfElements function within valid.c of libxml2. It affects libxml2 versions before 2.12.10 and 2.13.x before 2.13.6. Exploitation requires DTD validation to occur for an untrusted document or untrusted DTD. The vulnerability is classified as CWE-121 (stack-based buffer overflow) with a CVSS v3.1 base score of 7.8 (AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N). It is similar to CVE-2017-9047.

A local attacker with no privileges can exploit this vulnerability, though it requires high attack complexity and no user interaction. Successful exploitation can result in high confidentiality and integrity impacts with a changed scope, potentially enabling code execution or data tampering during XML processing that involves DTD validation.

Advisories recommend upgrading to libxml2 2.12.10 or later (for the 2.12 branch) or 2.13.6 or later (for the 2.13 branch). The libxml2 GitLab issue at https://gitlab.gnome.org/GNOME/libxml2/-/issues/847 tracks the fix, while OSS-Fuzz issue https://issues.oss-fuzz.com/issues/392687022 documents the discovery. Debian LTS announcement https://lists.debian.org/debian-lts-announce/2025/02/msg00028.html provides patches for affected Debian versions, and NetApp advisory https://security.netapp.com/advisory/ntap-20250321-0006/ covers mitigation in NetApp products.

Details

CWE(s): CWE-121

Affected Products

netapp

active iq unified manager

all versions

netapp

manageability software development kit

all versions

netapp

ontap

netapp

solidfire \& hci management node

all versions

xmlsoft

libxml2

≤ 2.12.10 · 2.13.0 — 2.13.6

netapp

hci compute node

all versions

netapp

h410c firmware

all versions

netapp

h300s firmware

all versions

netapp

h500s firmware

all versions

netapp

h700s firmware

all versions

+1 more product configuration(s) — see NVD for full list

CVEs Like This One

CVE-2024-56171Same product: Netapp Active Iq Unified Manager

CVE-2025-26512Same product class: NAS / storage appliance

CVE-2024-54085Same product: Netapp H300S

CVE-2025-59383Same product class: NAS / storage appliance

CVE-2024-53697Same product class: NAS / storage appliance

CVE-2025-30273Same product class: NAS / storage appliance

CVE-2025-48725Same product class: NAS / storage appliance

CVE-2025-27423Same product: Netapp Hci Compute Node

CVE-2025-1736Same product: Netapp Ontap

CVE-2025-1861Same product: Netapp Ontap

References

https://gitlab.gnome.org/GNOME/libxml2/-/issues/847
Issue Tracking · cve@mitre.org
https://issues.oss-fuzz.com/issues/392687022
Issue Tracking · cve@mitre.org
https://lists.debian.org/debian-lts-announce/2025/02/msg00028.html
af854a3a-2127-422b-91ae-364da2661108
https://security.netapp.com/advisory/ntap-20250321-0006/
Third Party Advisory · af854a3a-2127-422b-91ae-364da2661108