CVE-2025-32415: 
NixOS vulnerability analysis and mitigation

A heap-based buffer under-read vulnerability was discovered in libxml2 versions before 2.13.8 and 2.14.x before 2.14.2. The vulnerability exists in the xmlSchemaIDCFillNodeTables function within xmlschemas.c. The issue was disclosed on April 17, 2025, and affects various versions of the libxml2 library (NVD).

The vulnerability is classified as a heap-based buffer under-read issue in the xmlSchemaIDCFillNodeTables function. The CVSS v3.1 base score is 7.5 (HIGH) according to NVD's assessment, with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. MITRE has assigned it a lower score of 2.9 (LOW) with vector string CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L. The vulnerability is categorized under CWE-125 (Out-of-bounds Read) and CWE-1284 (Improper Validation of Specified Quantity in Input) (NVD).

The vulnerability can be triggered when a crafted XML document is validated against an XML schema with certain identity constraints, or when a crafted XML schema is used. This can lead to potential system crashes and denial of service conditions (NVD, Red Hat).

Red Hat has indicated that mitigation options are either not available or do not meet their Product Security criteria for ease of use and deployment, applicability to widespread installation base, or stability. Users are advised to upgrade to libxml2 version 2.13.8 or 2.14.2 or later when available (Red Hat).