CVE-2025-7424 — Libxslt: type confusion in xmlnode.psvi between stylesheet and source nodes

Description

A flaw was found in the libxslt library. The same memory field, psvi, is used for both stylesheet and input data, which can lead to type confusion during XML transformations. This vulnerability allows an attacker to crash the application or corrupt memory. In some cases, it may lead to denial of service or unexpected behavior.

How to fix CVE-2025-7424

To remediate CVE-2025-7424, upgrade the affected package to a fixed version below.

—upgrade to 1.8.0 or later
—upgrade to 1.8.0 or later
—upgrade to 1.8.0 or later
—upgrade to 1.1.34-4+deb11u3 or later

Is CVE-2025-7424 being exploited?

Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.

Affected packages (4)

from 0, < 1.8.0, >= 1.9.0, < 8.0.481
from 0, < 1.8.0, >= 1.9.0, < 8.0.481
from 0, < 1.8.0, >= 1.9.0, < 8.0.481
from 0, < 1.1.34-4+deb11u3

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References (15)

ADVISORYsecurity-tracker.debian.org/tracker/CVE-2025-7424
WEBaccess.redhat.com/errata/RHBA-2025:12345
WEBaccess.redhat.com/errata/RHSA-2026:11015
WEBaccess.redhat.com/security/cve/CVE-2025-7424
WEB