Cyber Resilience

CVE-2025-6021

HighPublic PoCUpdated

Published: 12 June 2025

Published
12 June 2025
Modified
12 May 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0212 84.5th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-6021 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Redhat Openshift Container Platform. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked in the top 15.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

A flaw exists in libxml2 within the xmlBuildQName function, where integer overflows during buffer size calculations produce a stack-based buffer overflow. The affected component is the widely used libxml2 library, and the issue manifests as memory corruption or denial of service when the library processes specially crafted input. The vulnerability carries a CVSS 3.1 base score of 7.5 with network attack vector, low complexity, and no required privileges or user interaction.

An unauthenticated remote attacker can supply malicious XML content to any application that links against the vulnerable libxml2 version, triggering the overflow to corrupt memory or crash the process and thereby achieve a high-impact denial of service. No confidentiality or integrity impact is possible according to the provided scoring.

Red Hat has published multiple errata (RHSA-2025:10630, RHSA-2025:10698, RHSA-2025:10699, RHSA-2025:11580, RHSA-2025:11673) that deliver patched libxml2 packages for affected Red Hat Enterprise Linux distributions.

The associated EPSS score remains flat at 0.0212 with no observed rise after disclosure.

EU & UK References

Vulnerability details

A flaw was found in libxml2's xmlBuildQName function, where integer overflows in buffer size calculations can lead to a stack-based buffer overflow. This issue can result in memory corruption or a denial of service when processing crafted input.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

CVE-2025-6021 and related libxml2 vulnerabilities (integer overflow leading to stack buffer overflow, heap UAF, null pointer dereference, type confusion) enable denial of service via exploitation of applications processing crafted XML input.

Affected Assets

xmlsoft
libxml2
≤ 2.14.4
redhat
jboss core services
all versions
redhat
openshift container platform
4.12, 4.13, 4.14, 4.15, 4.16
redhat
openshift container platform for arm64
4.13, 4.14, 4.15, 4.16, 4.17
redhat
openshift container platform for ibm z
4.13, 4.14, 4.15, 4.16, 4.17
redhat
openshift container platform for linuxone
4.13, 4.14, 4.15, 4.16, 4.17
redhat
openshift container platform for power
4.13, 4.14, 4.15, 4.16, 4.17
redhat
enterprise linux
10.0, 8.0, 9.0
redhat
enterprise linux eus
10.0, 8.4, 8.6, 8.8, 9.4
redhat
enterprise linux for arm 64
10.0_aarch64, 8.0_aarch64, 9.0_aarch64, 9.4_aarch64
+10 more product configuration(s) — see NVD for full list

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-787

Out-of-bounds writes that corrupt control flow or inject shellcode are rendered non-executable by the same memory protections.

References