CVE-2025-49796
Published: 16 June 2025
Summary
CVE-2025-49796 is a critical-severity Out-of-bounds Read (CWE-125) vulnerability in Siemens (inferred from references). Its CVSS base score is 9.1 (Critical).
Operationally, ranked in the top 16.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
CVE-2025-49796 is a memory corruption vulnerability in libxml2 triggered during processing of specially crafted sch:name elements within an input XML file. The flaw, tracked under CWE-125, can result in a crash or other undefined behavior from corruption of sensitive data in memory.
An unauthenticated remote attacker can exploit the issue by supplying a malicious XML document over the network. Successful exploitation yields high impact on integrity and availability, enabling denial of service or potentially broader undefined behavior, as reflected in the CVSS 9.1 score requiring no user interaction or privileges.
Multiple Red Hat Security Advisories (RHSA-2025:10630, RHSA-2025:10698, RHSA-2025:10699, RHSA-2025:11580, and RHSA-2025:12098) address the flaw and provide updated packages for affected systems. The associated EPSS score has remained flat at 0.0178 with no material increase observed after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-18415
Vulnerability details
A vulnerability was found in libxml2. Processing certain sch:name elements from the input XML file can trigger a memory corruption issue. This flaw allows an attacker to craft a malicious XML input file that can lead libxml to crash, resulting…
more
in a denial of service or other possible undefined behavior due to sensitive data being corrupted in memory.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.