Subject: [ASA-202506-7] libxml2: denial of service

Arch Linux Security Advisory ASA-202506-7
=========================================

Severity: High
Date    : 2025-06-18
CVE-ID  : CVE-2025-6021
Package : libxml2
Type    : denial of service
Remote  : Yes
Link    : https://security.archlinux.org/AVG-2899

Summary
=======

The package libxml2 before version 2.14.4-1 is vulnerable to denial of
service.

Resolution
==========

Upgrade to 2.14.4-1.

# pacman -Syu "libxml2>=2.14.4-1"

The problem has been fixed upstream in version 2.14.4.

Workaround
==========

None.

Description
===========

The xmlBuildQName function in tree.c is vulnerable to an integer
overflow when calculating the required buffer size for concatenating a
prefix and a local name (ncname). The lengths of ncname and prefix are
retrieved using strlen (which returns size_t) but are then implicitly
cast to int variables lenn and lenp.

Impact
======

A remote attacker can cause a denial of service by triggering an
integer overflow in the xmlBuildQName function.

References
==========

https://gitlab.gnome.org/GNOME/libxml2/-/issues/926
https://gitlab.gnome.org/GNOME/libxml2/-/commit/ad346c9a249c4b380bf73c460ad3e81135c5d781
https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.14.4
https://security.archlinux.org/CVE-2025-6021