CVE-2025-32414: 
NixOS vulnerability analysis and mitigation

In libxml2 before 2.13.8 and 2.14.x before 2.14.2, an out-of-bounds memory access vulnerability was discovered in the Python API (Python bindings). The vulnerability was disclosed on April 7, 2025, and affects the Python bindings of libxml2, specifically in the xmlPythonFileRead and xmlPythonFileReadRaw functions (NVD).

The vulnerability stems from an incorrect return value in the Python API bindings, specifically occurring in the xmlPythonFileRead and xmlPythonFileReadRaw functions due to a difference between bytes and characters handling. The issue has been assigned a CVSS v3.1 base score of 5.6 (Medium), with the vector string CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L. The vulnerability is classified as CWE-393 (Return of Wrong Status Code) (NVD, Red Hat).

The vulnerability can lead to out-of-bounds memory access, potentially affecting the confidentiality, integrity, and availability of systems using the Python bindings of libxml2. The impact is considered moderate with low potential for confidentiality, integrity, and availability breaches (Snyk).

Currently, there is no fixed version available for some distributions. Red Hat has noted that mitigation options either are not available or do not meet their Product Security criteria for ease of use, deployment, applicability to widespread installation base, or stability (Red Hat).