CVE-2025-24855: 
Alma Linux vulnerability analysis and mitigation

A use-after-free vulnerability (CVE-2025-24855) was discovered in libxslt before version 1.1.43. The vulnerability exists in the numbers.c file, where during nested XPath evaluations, an XPath context node can be modified but never restored. This issue specifically relates to several functions including xsltNumberFormatGetValue, xsltEvalXPathPredicate, xsltEvalXPathStringNs, and xsltComputeSortResultInternal (NVD).

The vulnerability has been assigned a CVSS v3.1 base score of 7.8 (HIGH), with the following vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:H. The attack requires local access and high complexity, needs no privileges or user interaction, but has a changed scope with high impacts on integrity and availability while maintaining confidentiality (Snyk).

The vulnerability can lead to a total loss of integrity and availability in the impacted component. An attacker could potentially cause the system to crash, resulting in a denial of service, or possibly execute arbitrary code. While there is no loss of confidentiality, the attacker has the ability to modify protected files and fully deny access to resources (Ubuntu).

The vulnerability has been addressed in libxslt version 1.1.43. Ubuntu has released security updates for multiple versions: Ubuntu 24.10 (1.1.39-0exp1ubuntu1.2), Ubuntu 24.04 (1.1.39-0exp1ubuntu0.24.04.2), Ubuntu 22.04 (1.1.34-4ubuntu0.22.04.3), and Ubuntu 20.04 (1.1.34-4ubuntu0.20.04.3). Users are advised to perform a standard system update to apply the necessary patches (Ubuntu).